Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 315342 Details for
Bug 459955
CVE-2008-3792 kernel: sctp: fix potential panics in the SCTP-AUTH API
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed backported patch for MRG kernel (untested)
bz#459956.patch (text/plain), 6.28 KB, created by
Eugene Teo (Security Response)
on 2008-08-29 08:20:11 UTC
(
hide
)
Description:
Proposed backported patch for MRG kernel (untested)
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2008-08-29 08:20:11 UTC
Size:
6.28 KB
patch
obsolete
>diff -uprN linux-2.6.24.7.noarch.default/net/sctp/endpointola.c linux-2.6.24.7.noarch/net/sctp/endpointola.c >--- linux-2.6.24.7.noarch.default/net/sctp/endpointola.c 2008-01-24 17:58:37.000000000 -0500 >+++ linux-2.6.24.7.noarch/net/sctp/endpointola.c 2008-08-29 03:48:03.251336000 -0400 >@@ -107,6 +107,7 @@ static struct sctp_endpoint *sctp_endpoi > > /* Initialize the CHUNKS parameter */ > auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS; >+ auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t)); > > /* If the Add-IP functionality is enabled, we must > * authenticate, ASCONF and ASCONF-ACK chunks >@@ -114,8 +115,7 @@ static struct sctp_endpoint *sctp_endpoi > if (sctp_addip_enable) { > auth_chunks->chunks[0] = SCTP_CID_ASCONF; > auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK; >- auth_chunks->param_hdr.length = >- htons(sizeof(sctp_paramhdr_t) + 2); >+ auth_chunks->param_hdr.length += htons(2); > } > } > >diff -uprN linux-2.6.24.7.noarch.default/net/sctp/socket.c linux-2.6.24.7.noarch/net/sctp/socket.c >--- linux-2.6.24.7.noarch.default/net/sctp/socket.c 2008-08-29 03:18:29.876875000 -0400 >+++ linux-2.6.24.7.noarch/net/sctp/socket.c 2008-08-29 04:12:14.806488000 -0400 >@@ -2959,6 +2959,9 @@ static int sctp_setsockopt_auth_chunk(st > { > struct sctp_authchunk val; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (optlen != sizeof(struct sctp_authchunk)) > return -EINVAL; > if (copy_from_user(&val, optval, optlen)) >@@ -2989,6 +2992,9 @@ static int sctp_setsockopt_hmac_ident(st > struct sctp_hmacalgo *hmacs; > int err; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (optlen < sizeof(struct sctp_hmacalgo)) > return -EINVAL; > >@@ -3027,6 +3033,9 @@ static int sctp_setsockopt_auth_key(stru > struct sctp_association *asoc; > int ret; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (optlen <= sizeof(struct sctp_authkey)) > return -EINVAL; > >@@ -3064,6 +3073,9 @@ static int sctp_setsockopt_active_key(st > struct sctp_authkeyid val; > struct sctp_association *asoc; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (optlen != sizeof(struct sctp_authkeyid)) > return -EINVAL; > if (copy_from_user(&val, optval, optlen)) >@@ -3089,6 +3101,9 @@ static int sctp_setsockopt_del_key(struc > struct sctp_authkeyid val; > struct sctp_association *asoc; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (optlen != sizeof(struct sctp_authkeyid)) > return -EINVAL; > if (copy_from_user(&val, optval, optlen)) >@@ -5018,19 +5033,29 @@ static int sctp_getsockopt_maxburst(stru > static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, > char __user *optval, int __user *optlen) > { >+ struct sctp_hmacalgo __user *p = (void __user *)optval; > struct sctp_hmac_algo_param *hmacs; >- __u16 param_len; >+ __u16 data_len = 0; >+ u32 num_idents; >+ >+ if (!sctp_auth_enable) >+ return -EACCES; > > hmacs = sctp_sk(sk)->ep->auth_hmacs_list; >- param_len = ntohs(hmacs->param_hdr.length); >+ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t); > >- if (len < param_len) >+ if (len < sizeof(struct sctp_hmacalgo) + data_len) > return -EINVAL; >+ >+ len = sizeof(struct sctp_hmacalgo) + data_len; >+ num_idents = data_len / sizeof(u16); >+ > if (put_user(len, optlen)) > return -EFAULT; >- if (copy_to_user(optval, hmacs->hmac_ids, len)) >+ if (put_user(num_idents, &p->shmac_num_idents)) >+ return -EFAULT; >+ if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len)) > return -EFAULT; >- > return 0; > } > >@@ -5040,6 +5065,9 @@ static int sctp_getsockopt_active_key(st > struct sctp_authkeyid val; > struct sctp_association *asoc; > >+ if (!sctp_auth_enable) >+ return -EACCES; >+ > if (len < sizeof(struct sctp_authkeyid)) > return -EINVAL; > if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) >@@ -5054,6 +5082,12 @@ static int sctp_getsockopt_active_key(st > else > val.scact_keynumber = sctp_sk(sk)->ep->active_key_id; > >+ len = sizeof(struct sctp_authkeyid); >+ if (put_user(len, optlen)) >+ return -EFAULT; >+ if (copy_to_user(optval, &val, len)) >+ return -EFAULT; >+ > return 0; > } > >@@ -5064,12 +5098,16 @@ static int sctp_getsockopt_peer_auth_chu > struct sctp_authchunks val; > struct sctp_association *asoc; > struct sctp_chunks_param *ch; >+ u32 num_chunks = 0; > char __user *to; > >- if (len <= sizeof(struct sctp_authchunks)) >+ if (!sctp_auth_enable) >+ return -EACCES; >+ >+ if (len < sizeof(struct sctp_authchunks)) > return -EINVAL; > >- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) >+ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) > return -EFAULT; > > to = p->gauth_chunks; >@@ -5078,16 +5116,19 @@ static int sctp_getsockopt_peer_auth_chu > return -EINVAL; > > ch = asoc->peer.peer_chunks; >+ if (!ch) >+ goto num; > > /* See if the user provided enough room for all the data */ >- if (len < ntohs(ch->param_hdr.length)) >+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); >+ if (len < num_chunks) > return -EINVAL; > >- len = ntohs(ch->param_hdr.length); >- if (put_user(len, optlen)) >- return -EFAULT; >- if (copy_to_user(to, ch->chunks, len)) >+ if (copy_to_user(to, ch->chunks, num_chunks)) > return -EFAULT; >+num: >+ len = sizeof(struct sctp_authchunks) + num_chunks; >+ if (put_user(len, optlen)) return -EFAULT; > > return 0; > } >@@ -5099,12 +5140,16 @@ static int sctp_getsockopt_local_auth_ch > struct sctp_authchunks val; > struct sctp_association *asoc; > struct sctp_chunks_param *ch; >+ u32 num_chunks = 0; > char __user *to; > >- if (len <= sizeof(struct sctp_authchunks)) >+ if (!sctp_auth_enable) >+ return -EACCES; >+ >+ if (len < sizeof(struct sctp_authchunks)) > return -EINVAL; > >- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) >+ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) > return -EFAULT; > > to = p->gauth_chunks; >@@ -5117,13 +5162,18 @@ static int sctp_getsockopt_local_auth_ch > else > ch = sctp_sk(sk)->ep->auth_chunk_list; > >- if (len < ntohs(ch->param_hdr.length)) >+ if (!ch) >+ goto num; >+ >+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); >+ if (len < sizeof(struct sctp_authchunks) + num_chunks) > return -EINVAL; > >- len = ntohs(ch->param_hdr.length); >- if (put_user(len, optlen)) >+ if (copy_to_user(to, ch->chunks, num_chunks)) > return -EFAULT; >- if (copy_to_user(to, ch->chunks, len)) >+num: >+ len = sizeof(struct sctp_authchunks) + num_chunks; >+ if (put_user(len, optlen)) > return -EFAULT; > > return 0;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=315342">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 459955
:
314907
| 315342