| /[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0127-2.6.16.15-fragmented-SCTP-control-chunks-CVE-2006-2272.patch |
Annotation of /trunk/kernel26-magellan/patches-2.6.16-r12/0127-2.6.16.15-fragmented-SCTP-control-chunks-CVE-2006-2272.patch
Parent Directory
| 
Revision Log
Revision 72 -
(hide annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years ago) by niro
File size: 2107 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years ago) by niro
File size: 2107 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
| 1 | niro | 72 | From: Sridhar Samudrala <sri@us.ibm.com> |
| 2 | Date: Sat, 6 May 2006 00:04:43 +0000 (-0700) | ||
| 3 | Subject: [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006 ... | ||
| 4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=40885c13b394cd1b74acc196f1d7990a3e0a484d | ||
| 5 | |||
| 6 | [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272) | ||
| 7 | |||
| 8 | Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that | ||
| 9 | are received as skb's with fragment list. | ||
| 10 | |||
| 11 | Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> | ||
| 12 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 13 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | ||
| 14 | --- | ||
| 15 | |||
| 16 | --- a/net/sctp/sm_statefuns.c | ||
| 17 | +++ b/net/sctp/sm_statefuns.c | ||
| 18 | @@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co | ||
| 19 | */ | ||
| 20 | chunk->subh.cookie_hdr = | ||
| 21 | (struct sctp_signed_cookie *)chunk->skb->data; | ||
| 22 | - skb_pull(chunk->skb, | ||
| 23 | - ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); | ||
| 24 | + if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - | ||
| 25 | + sizeof(sctp_chunkhdr_t))) | ||
| 26 | + goto nomem; | ||
| 27 | |||
| 28 | /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint | ||
| 29 | * "Z" will reply with a COOKIE ACK chunk after building a TCB | ||
| 30 | @@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons | ||
| 31 | */ | ||
| 32 | chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; | ||
| 33 | paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); | ||
| 34 | - skb_pull(chunk->skb, paylen); | ||
| 35 | + if (!pskb_pull(chunk->skb, paylen)) | ||
| 36 | + goto nomem; | ||
| 37 | |||
| 38 | reply = sctp_make_heartbeat_ack(asoc, chunk, | ||
| 39 | chunk->subh.hb_hdr, paylen); | ||
| 40 | @@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc | ||
| 41 | * are in good shape. | ||
| 42 | */ | ||
| 43 | chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; | ||
| 44 | - skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - | ||
| 45 | - sizeof(sctp_chunkhdr_t)); | ||
| 46 | + if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - | ||
| 47 | + sizeof(sctp_chunkhdr_t))) | ||
| 48 | + goto nomem; | ||
| 49 | |||
| 50 | /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie | ||
| 51 | * of a duplicate COOKIE ECHO match the Verification Tags of the |