[kernel] r11694 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Jun 25 05:04:06 UTC 2008 

Author: dannf
Date: Wed Jun 25 05:04:03 2008
New Revision: 11694

Log:
bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
[SECURITY] Fix potential overflow condition in
sctp_getsockopt_local_addrs_old
See CVE-2008-2826

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
   dists/etch-security/linux-2.6/debian/patches/series/18etch7
Modified:
   dists/etch-security/linux-2.6/debian/changelog

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jun 25 05:04:03 2008
@@ -1,3 +1,12 @@
+linux-2.6 (2.6.18.dfsg.1-18etch7) UNRELEASED; urgency=low
+
+  * bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
+    [SECURITY] Fix potential overflow condition in
+    sctp_getsockopt_local_addrs_old
+    See CVE-2008-2826
+
+ -- dann frazier <dannf at debian.org>  Mon, 23 Jun 2008 20:06:16 -0600
+
 linux-2.6 (2.6.18.dfsg.1-18etch6) stable-security; urgency=high
 
   * bugfix/dccp-feature-length-check.patch

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch	Wed Jun 25 05:04:03 2008
@@ -0,0 +1,29 @@
+commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62
+Author: David S. Miller <davem at davemloft.net>
+Date:   Fri Jun 20 22:04:34 2008 -0700
+
+    sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
+    
+    As noticed by Gabriel Campana, the kmalloc() length arg
+    passed in by sctp_getsockopt_local_addrs_old() can overflow
+    if ->addr_num is large enough.
+    
+    Therefore, enforce an appropriate limit.
+    
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index e7e3baf..0dbcde6 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
+ 	if (copy_from_user(&getaddrs, optval, len))
+ 		return -EFAULT;
+ 
+-	if (getaddrs.addr_num <= 0) return -EINVAL;
++	if (getaddrs.addr_num <= 0 ||
++	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
++		return -EINVAL;
+ 	/*
+ 	 *  For UDP-style sockets, id specifies the association to query.
+ 	 *  If the id field is set to the value '0' then the locally bound

Added: dists/etch-security/linux-2.6/debian/patches/series/18etch7
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch7	Wed Jun 25 05:04:03 2008
@@ -0,0 +1 @@
++ bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch

More information about the Kernel-svn-changes mailing list