[kernel] r12184 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Fri Sep 5 16:19:13 UTC 2008

Author: dannf
Date: Fri Sep  5 16:19:11 2008
New Revision: 12184

Log:
* Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-key-length-check.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Sep  5 16:19:11 2008
@@ -7,8 +7,9 @@
   * Fix regression introduced upstream by the fixes for CVE-2008-1673
   * Fix integer overflow in dccp_setsockopt_change() (CVE-2008-3276)
   * Fix potential memory leak in lookup path (CVE-2008-3275)
+  * Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
 
- -- dann frazier <dannf at debian.org>  Fri, 29 Aug 2008 00:22:57 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 10:12:32 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-key-length-check.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-key-length-check.patch	Fri Sep  5 16:19:11 2008
@@ -0,0 +1,44 @@
+commit 30c2235cbc477d4629983d440cdc4f496fec9246
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Mon Aug 25 15:16:19 2008 -0700
+
+    sctp: add verification checks to SCTP_AUTH_KEY option
+    
+    The structure used for SCTP_AUTH_KEY option contains a
+    length that needs to be verfied to prevent buffer overflow
+    conditions.  Spoted by Eugene Teo <eteo at redhat.com>.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/auth.c linux-source-2.6.26/net/sctp/auth.c
+--- linux-source-2.6.26.orig/net/sctp/auth.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/auth.c	2008-08-26 17:34:22.000000000 -0600
+@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth
+ {
+ 	struct sctp_auth_bytes *key;
+ 
++	/* Verify that we are not going to overflow INT_MAX */
++	if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
++		return NULL;
++
+ 	/* Allocate the shared key */
+ 	key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
+ 	if (!key)
+diff -urpN linux-source-2.6.26.orig/net/sctp/socket.c linux-source-2.6.26/net/sctp/socket.c
+--- linux-source-2.6.26.orig/net/sctp/socket.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/socket.c	2008-08-26 17:34:22.000000000 -0600
+@@ -3045,6 +3045,11 @@ static int sctp_setsockopt_auth_key(stru
+ 		goto out;
+ 	}
+ 
++	if (authkey->sca_keylength > optlen) {
++		ret = -EINVAL;
++		goto out;
++	}
++
+ 	asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
+ 	if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
+ 		ret = -EINVAL;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Fri Sep  5 16:19:11 2008
@@ -4,3 +4,4 @@
 + bugfix/netfilter-nf_nat_snmp_basic-fix-range-check.patch
 + bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
 + bugfix/vfs-fix-lookup-on-deleted-directory.patch
++ bugfix/sctp-auth-key-length-check.patch

