[kernel] r12379 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Nov 11 02:07:48 UTC 2008
Author: dannf
Date: Tue Nov 11 02:07:45 2008
New Revision: 12379
Log:
* Fix oops in SCTP
- bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
See CVE-2008-4576
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/23etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Nov 11 02:07:45 2008
@@ -18,8 +18,11 @@
- bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
- bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
See CVE-2008-3528
+ * Fix oops in SCTP
+ - bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
+ See CVE-2008-4576
- -- dann frazier <dannf at debian.org> Mon, 10 Nov 2008 14:31:39 -0700
+ -- dann frazier <dannf at debian.org> Mon, 10 Nov 2008 16:42:11 -0700
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch Tue Nov 11 02:07:45 2008
@@ -0,0 +1,64 @@
+commit add52379dde2e5300e2d574b172e62c6cf43b3d3
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Thu Sep 18 16:28:27 2008 -0700
+
+ sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
+
+ If INIT-ACK is received with SupportedExtensions parameter which
+ indicates that the peer does not support AUTH, the packet will be
+ silently ignore, and sctp_process_init() do cleanup all of the
+ transports in the association.
+ When T1-Init timer is expires, OOPS happen while we try to choose
+ a different init transport.
+
+ The solution is to only clean up the non-active transports, i.e
+ the ones that the peer added. However, that introduces a problem
+ with sctp_connectx(), because we don't mark the proper state for
+ the transports provided by the user. So, we'll simply mark
+ user-provided transports as ACTIVE. That will allow INIT
+ retransmissions to work properly in the sctp_connectx() context
+ and prevent the crash.
+
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/net/sctp/associola.c linux-source-2.6.18/net/sctp/associola.c
+--- linux-source-2.6.18.orig/net/sctp/associola.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/sctp/associola.c 2008-11-10 16:27:20.000000000 -0700
+@@ -546,11 +546,12 @@ struct sctp_transport *sctp_assoc_add_pe
+ /* Check to see if this is a duplicate. */
+ peer = sctp_assoc_lookup_paddr(asoc, addr);
+ if (peer) {
++ /* An UNKNOWN state is only set on transports added by
++ * user in sctp_connectx() call. Such transports should be
++ * considered CONFIRMED per RFC 4960, Section 5.4.
++ */
+ if (peer->state == SCTP_UNKNOWN) {
+- if (peer_state == SCTP_ACTIVE)
+- peer->state = SCTP_ACTIVE;
+- if (peer_state == SCTP_UNCONFIRMED)
+- peer->state = SCTP_UNCONFIRMED;
++ peer->state = SCTP_ACTIVE;
+ }
+ return peer;
+ }
+diff -urpN linux-source-2.6.18.orig/net/sctp/sm_make_chunk.c linux-source-2.6.18/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.18.orig/net/sctp/sm_make_chunk.c 2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/net/sctp/sm_make_chunk.c 2008-11-10 16:27:20.000000000 -0700
+@@ -1964,12 +1964,10 @@ clean_up:
+ /* Release the transport structures. */
+ list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
+ transport = list_entry(pos, struct sctp_transport, transports);
+- list_del_init(pos);
+- sctp_transport_free(transport);
++ if (transport->state != SCTP_ACTIVE)
++ sctp_assoc_rm_peer(asoc, transport);
+ }
+
+- asoc->peer.transport_count = 0;
+-
+ nomem:
+ return 0;
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Tue Nov 11 02:07:45 2008
@@ -4,3 +4,4 @@
+ bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
+ bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
++ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
More information about the Kernel-svn-changes
mailing list