Description of the problem: For a TCP-style socket, while processing the COOKIE_ECHO chunk in sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a new association would be created in sctp_unpack_cookie(), but afterwards, some processing maybe failed, and sctp_association_free() will be called to free the previously allocated association, in sctp_association_free(), sk_ack_backlog value is decremented for this socket, since the initial value for sk_ack_backlog is 0, after the decrement, it will be 65535, a wrap-around problem happens, and if we want to establish new associations afterward in the same socket, ABORT would be triggered since sctp deem the accept queue as full. A remote attacker can block further connection to the particular sctp server socket by sending a specially crafted sctp packet. Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee Acknowledgements: Red Hat would like to thank Gopal Reddy Kodudula of Nokia Siemens Networks for reporting this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1113973]
kernel-3.14.9-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0913 https://rhn.redhat.com/errata/RHSA-2014-0913.html
kernel-3.14.13-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1023 https://rhn.redhat.com/errata/RHSA-2014-1023.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1167 https://rhn.redhat.com/errata/RHSA-2014-1167.html