[kernel] r16487 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:21:40 UTC 2010
Author: dannf
Date: Mon Oct 25 02:21:37 2010
New Revision: 16487
Log:
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:21:28 2010 (r16486)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:21:37 2010 (r16487)
@@ -9,6 +9,7 @@
* Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
* ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
* thinkpad-acpi: lock down video output state access (CVE-2010-3448)
+ * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch Mon Oct 25 02:21:37 2010 (r16487)
@@ -0,0 +1,47 @@
+commit 322d8fe673fcb447be77b60d1c3f6a42554f3daa
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Oct 1 11:51:47 2010 +0000
+
+ sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+
+ The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
+ array and attempts to ensure that only a supported hmac entry is
+ returned. The current code fails to do this properly - if the last id
+ in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
+ id integer remains set after exiting the loop, and the address of an
+ out-of-bounds entry will be returned and subsequently used in the parent
+ function, causing potentially ugly memory corruption. This patch resets
+ the id integer to 0 on encountering an invalid id so that NULL will be
+ returned after finishing the loop if no valid ids are found.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 52db5f6..1ca7e4d 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -542,16 +542,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
+ id = ntohs(hmacs->hmac_ids[i]);
+
+ /* Check the id is in the supported range */
+- if (id > SCTP_AUTH_HMAC_ID_MAX)
++ if (id > SCTP_AUTH_HMAC_ID_MAX) {
++ id = 0;
+ continue;
++ }
+
+ /* See is we support the id. Supported IDs have name and
+ * length fields set, so that we can allocated and use
+ * them. We can safely just check for name, for without the
+ * name, we can't allocate the TFM.
+ */
+- if (!sctp_hmac_list[id].hmac_name)
++ if (!sctp_hmac_list[id].hmac_name) {
++ id = 0;
+ continue;
++ }
+
+ break;
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:21:28 2010 (r16486)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:21:37 2010 (r16487)
@@ -7,3 +7,4 @@
+ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
+ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
+ bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
More information about the Kernel-svn-changes
mailing list