Red Hat Bugzilla – Bug 452478
CVE-2008-2826 kernel: sctp: sctp_getsockopt_local_addrs_old() potential overflow
Last modified: 2010-12-23 16:10:39 EST
Description of problem:
kernel: sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Version-Release number of selected component (if applicable):
All 2.6.* versions of the Linux kernel.
Proposed upstream patch:
Official statement of the Red Hat Security Response Team to CVE-2008-2826:
Gabriel Campana discovered a possible integer overflow in the Linux
kernel Stream Control Transmission Protocol (SCTP) implementation. In
the latest upstream (vanilla) kernels, this deficiency could lead to
privilege escalation. Since earlier kernels, such as those shipped with
Red Hat Enterprise Linux 2.1, 3, 4 and 5, use a different mechanism for
processing the relevant data structure, these kernels are not vulnerable
to the mentioned vulnerability.
Although the bug does not have a security consequence for the current
Red Hat Enterprise Linux kernels, we plan to fix it in future kernel
This was addressed via:
MRG Realtime for RHEL 5 Server (RHSA-2008:0585)