[kernel] r6649 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Sat May 20 16:31:51 UTC 2006
Author: dannf
Date: Sat May 20 16:31:50 2006
New Revision: 6649
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log:
* sctp-hb-ack-overflow.dpatch
[SECURITY] Fix a remote buffer overflow that can result from a badly
formatted HB-ACK chunk
See CVE-2006-1857
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat May 20 16:31:50 2006
@@ -88,8 +88,12 @@
* nfs-another-O_DIRECT-fix.dpatch
[SECURITY] Fix a potential local DoS vulnerability in the NFS O_DIRECT code
See CVE-2006-0555
+ * sctp-hb-ack-overflow.dpatch
+ [SECURITY] Fix a remote buffer overflow that can result from a badly
+ formatted HB-ACK chunk
+ See CVE-2006-1857
- -- dann frazier <dannf at debian.org> Sat, 20 May 2006 02:55:31 -0500
+ -- dann frazier <dannf at debian.org> Sat, 20 May 2006 11:30:27 -0500
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch Sat May 20 16:31:50 2006
@@ -0,0 +1,31 @@
+From: Vladislav Yasevich <vladislav.yasevich at hp.com>
+Date: Fri, 19 May 2006 21:25:53 +0000 (-0700)
+Subject: [SCTP]: Validate the parameter length in HB-ACK chunk.
+X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a601266e4f3c479790f373c2e3122a766d123652
+
+[SCTP]: Validate the parameter length in HB-ACK chunk.
+
+If SCTP receives a badly formatted HB-ACK chunk, it is possible
+that we may access invalid memory and potentially have a buffer
+overflow. We should really make sure that the chunk format is
+what we expect, before attempting to touch the data.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+---
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(
+ commands);
+
+ hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
++ /* Make sure that the length of the parameter is what we expect */
++ if (ntohs(hbinfo->param_hdr.length) !=
++ sizeof(sctp_sender_hb_info_t)) {
++ return SCTP_DISPOSITION_DISCARD;
++ }
++
+ from_addr = hbinfo->daddr;
+ link = sctp_assoc_lookup_paddr(asoc, &from_addr);
+
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Sat May 20 16:31:50 2006
@@ -24,3 +24,4 @@
+ s390-strnlen_user-return.dpatch
+ xfs-ftruncate-leak.dpatch
+ nfs-another-O_DIRECT-fix.dpatch
++ sctp-hb-ack-overflow.dpatch
More information about the Kernel-svn-changes
mailing list