Bug 465730 - (CVE-2008-4618) CVE-2008-4618 kernel: sctp: Fix kernel panic while process protocol violation parameter
CVE-2008-4618 kernel: sctp: Fix kernel panic while process protocol violation...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 465731
  Show dependency treegraph
Reported: 2008-10-06 02:05 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 12:45 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-21 12:45:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch for this issue (7.03 KB, patch)
2008-10-06 02:13 EDT, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2008-10-06 02:05:14 EDT
Description of problem:
Wei Yongjun reported that "Since call to function sctp_sf_abort_violation() need paramter 'arg' with 'struct sctp_chunk' type, it will read the chunk type and chunk length from the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen() always with 'struct sctp_paramhdr' type's parameter, it will be passed to sctp_sf_abort_violation(). This may cause kernel panic.

     |-- sctp_sf_abort_violation()
        |-- sctp_make_abort_violation()

This patch fixed this problem. This patch also fix two place which called sctp_sf_violation_paramlen() with wrong paramter type."
Comment 2 Eugene Teo (Security Response) 2008-10-06 02:13:47 EDT
Created attachment 319518 [details]
Upstream patch for this issue
Comment 5 Luis Claudio R. Goncalves 2008-10-06 14:16:06 EDT
MRG: Patch added to -85
Comment 6 Vincent Danen 2010-12-21 12:45:40 EST
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2009:0009)

Note You need to log in before you can comment on or make changes to this bug.