[kernel] r16443 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 07:04:57 UTC 2010
Author: dannf
Date: Thu Oct 14 07:04:40 2010
New Revision: 16443
Log:
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 07:02:29 2010 (r16442)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 07:04:40 2010 (r16443)
@@ -40,6 +40,7 @@
* Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
* ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
* net sched: fix kernel leak in act_police (CVE-2010-3477)
+ * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
-- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch Thu Oct 14 07:04:40 2010 (r16443)
@@ -0,0 +1,47 @@
+commit 51e97a12bef19b7e43199fc153cf9bd5f2140362
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Oct 1 11:51:47 2010 +0000
+
+ sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+
+ The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
+ array and attempts to ensure that only a supported hmac entry is
+ returned. The current code fails to do this properly - if the last id
+ in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
+ id integer remains set after exiting the loop, and the address of an
+ out-of-bounds entry will be returned and subsequently used in the parent
+ function, causing potentially ugly memory corruption. This patch resets
+ the id integer to 0 on encountering an invalid id so that NULL will be
+ returned after finishing the loop if no valid ids are found.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 8636639..ddbbf7c 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
+ id = ntohs(hmacs->hmac_ids[i]);
+
+ /* Check the id is in the supported range */
+- if (id > SCTP_AUTH_HMAC_ID_MAX)
++ if (id > SCTP_AUTH_HMAC_ID_MAX) {
++ id = 0;
+ continue;
++ }
+
+ /* See is we support the id. Supported IDs have name and
+ * length fields set, so that we can allocated and use
+ * them. We can safely just check for name, for without the
+ * name, we can't allocate the TFM.
+ */
+- if (!sctp_hmac_list[id].hmac_name)
++ if (!sctp_hmac_list[id].hmac_name) {
++ id = 0;
+ continue;
++ }
+
+ break;
+ }
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 07:02:29 2010 (r16442)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 07:04:40 2010 (r16443)
@@ -30,3 +30,4 @@
+ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
+ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
+ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch
More information about the Kernel-svn-changes
mailing list