[kernel] r12566 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jan 10 23:14:26 UTC 2009
Author: dannf
Date: Sat Jan 10 23:14:25 2009
New Revision: 12566
Log:
* sctp: fix memory overflow (CVE-2009-0065)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/14
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Sat Jan 10 23:14:25 2009
@@ -3,7 +3,10 @@
[ Moritz Muehlenhoff ]
* Add support for Acer Aspire One with ALC269 codec chip. (Closes: #505250)
- -- dann frazier <dannf at debian.org> Sat, 10 Jan 2009 10:03:13 -0700
+ [ dann frazier ]
+ * sctp: fix memory overflow (CVE-2009-0065)
+
+ -- dann frazier <dannf at debian.org> Sat, 10 Jan 2009 16:06:04 -0700
linux-2.6 (2.6.26-13) unstable; urgency=high
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch Sat Jan 10 23:14:25 2009
@@ -0,0 +1,67 @@
+commit 9fcb95a105758b81ef0131cd18e2db5149f13e95
+Author: Wei Yongjun <yjwei at cn.fujitsu.com>
+Date: Thu Dec 25 16:58:11 2008 -0800
+
+ sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
+
+ If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
+ validity check, this may cause memory overflow when overwrite the TSN of
+ the stream ID.
+
+ The FORWARD-TSN chunk is like this:
+
+ FORWARD-TSN chunk
+ Type = 192
+ Flags = 0
+ Length = 172
+ NewTSN = 99
+ Stream = 10000
+ StreamSequence = 0xFFFF
+
+ This patch fix this problem by discard the chunk if stream ID is not
+ less than MIS.
+
+ Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/sm_statefuns.c linux-source-2.6.26/net/sctp/sm_statefuns.c
+--- linux-source-2.6.26.orig/net/sctp/sm_statefuns.c 2009-01-08 16:43:13.000000000 -0700
++++ linux-source-2.6.26/net/sctp/sm_statefuns.c 2009-01-10 10:15:32.000000000 -0700
+@@ -3641,6 +3641,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3701,6 +3702,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3730,6 +3732,18 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
Modified: dists/sid/linux-2.6/debian/patches/series/14
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/14 (original)
+++ dists/sid/linux-2.6/debian/patches/series/14 Sat Jan 10 23:14:25 2009
@@ -1 +1,2 @@
+ features/all/alsa-hda-support-acer-aspire-one.patch
++ bugfix/all/sctp-avoid-memory-overflow.patch
More information about the Kernel-svn-changes
mailing list