Description of problem: Eugene Teo reported that an integer overflow flaw was found in the Linux kernel sctp_setsockopt_auth_key() function. The structure used for SCTP_AUTH_KEY option contains a length that needs to be verified to prevent integer overflow conditions.
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246
(In reply to comment #1) > Proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246 There are discussions to use UINT_MAX instead of INT_MAX in the if comparison, and to limit the upper bound to a smaller number. So don't backport the patch yet.
SCTP-AUTH API was introduced in upstream commit 65b07e5d (20070916). This extension is disabled by default since upstream commit 5e739d17 (20080821).
(In reply to comment #2) > (In reply to comment #1) > > Proposed upstream patch: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246 > > There are discussions to use UINT_MAX instead of INT_MAX in the if comparison, > and to limit the upper bound to a smaller number. So don't backport the patch > yet. Vlad wrote that using INT_MAX is sufficient to catch possible overflows, and that restricting the size further is pointless and could end up being too restrictive. So, please backport the patch based on commit 30c2235cb. Thanks.
Created attachment 315008 [details] Upstream patch for this issue
(In reply to comment #5) > (In reply to comment #2) > > (In reply to comment #1) > > > Proposed upstream patch: > > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246 > > > > There are discussions to use UINT_MAX instead of INT_MAX in the if comparison, > > and to limit the upper bound to a smaller number. So don't backport the patch > > yet. > > Vlad wrote that using INT_MAX is sufficient to catch possible overflows, and > that restricting the size further is pointless and could end up being too > restrictive. So, please backport the patch based on commit 30c2235cb. Thanks. Turns out that the upper bound needs to be fixed :) Will update the bug with the commit hash as soon as it is committed upstream.
The backport patch needs this as well: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=328fc47ea0bcc27d9afa69c3ad6e52431cadd76c
Created attachment 315341 [details] Proposed backported patch for MRG kernel
Queued for -79
This was addressed via: MRG Realtime for RHEL 5 Server (RHSA-2008:0857)