[kernel] r16443 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Oct 14 07:04:57 UTC 2010

Author: dannf
Date: Thu Oct 14 07:04:40 2010
New Revision: 16443

Log:
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 07:02:29 2010	(r16442)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 07:04:40 2010	(r16443)
@@ -40,6 +40,7 @@
   * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
   * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
   * net sched: fix kernel leak in act_police (CVE-2010-3477)
+  * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
 
  -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch	Thu Oct 14 07:04:40 2010	(r16443)
@@ -0,0 +1,47 @@
+commit 51e97a12bef19b7e43199fc153cf9bd5f2140362
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Oct 1 11:51:47 2010 +0000
+
+    sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+    
+    The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
+    array and attempts to ensure that only a supported hmac entry is
+    returned.  The current code fails to do this properly - if the last id
+    in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
+    id integer remains set after exiting the loop, and the address of an
+    out-of-bounds entry will be returned and subsequently used in the parent
+    function, causing potentially ugly memory corruption.  This patch resets
+    the id integer to 0 on encountering an invalid id so that NULL will be
+    returned after finishing the loop if no valid ids are found.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 8636639..ddbbf7c 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
+ 		id = ntohs(hmacs->hmac_ids[i]);
+ 
+ 		/* Check the id is in the supported range */
+-		if (id > SCTP_AUTH_HMAC_ID_MAX)
++		if (id > SCTP_AUTH_HMAC_ID_MAX) {
++			id = 0;
+ 			continue;
++		}
+ 
+ 		/* See is we support the id.  Supported IDs have name and
+ 		 * length fields set, so that we can allocated and use
+ 		 * them.  We can safely just check for name, for without the
+ 		 * name, we can't allocate the TFM.
+ 		 */
+-		if (!sctp_hmac_list[id].hmac_name)
++		if (!sctp_hmac_list[id].hmac_name) {
++			id = 0;
+ 			continue;
++		}
+ 
+ 		break;
+ 	}

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 07:02:29 2010	(r16442)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 07:04:40 2010	(r16443)
@@ -30,3 +30,4 @@
 + bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
 + bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 + bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch

