[kernel] r16483 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Oct 25 02:21:00 UTC 2010 

Author: dannf
Date: Mon Oct 25 02:20:58 2010
New Revision: 16483

Log:
sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:20:47 2010	(r16482)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:20:58 2010	(r16483)
@@ -5,6 +5,7 @@
   * cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)
   * eql: prevent reading uninitialized stack memory (CVE-2010-3297)
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
+  * sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch	Mon Oct 25 02:20:58 2010	(r16483)
@@ -0,0 +1,35 @@
+commit 5a493b9d0cb9bd16579e8f86036f7238476e0fd8
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Wed Sep 15 10:00:26 2010 -0400
+
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    sctp: Do not reset the packet during sctp_packet_config().
+    
+    sctp_packet_config() is called when getting the packet ready
+    for appending of chunks.  The function should not touch the
+    current state, since it's possible to ping-pong between two
+    transports when sending, and that can result packet corruption
+    followed by skb overlfow crash.
+    
+    Reported-by: Thomas Dreibholz <dreibh at iem.uni-due.de>
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/output.c b/net/sctp/output.c
+index 6d45bae..9b38671 100644
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -78,12 +78,6 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
+ 			  packet, vtag);
+ 
+ 	packet->vtag = vtag;
+-	packet->has_cookie_echo = 0;
+-	packet->has_sack = 0;
+-	packet->has_auth = 0;
+-	packet->has_data = 0;
+-	packet->ipfragok = 0;
+-	packet->auth = NULL;
+ 
+ 	if (ecn_capable && sctp_packet_empty(packet)) {
+ 		chunk = sctp_get_ecne_prepend(packet->transport->asoc);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:20:47 2010	(r16482)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:20:58 2010	(r16483)
@@ -3,3 +3,4 @@
 + bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch

More information about the Kernel-svn-changes mailing list