Red Hat Bugzilla – Bug 466079
CVE-2008-4576 kernel: sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
Last modified: 2010-12-21 12:47:04 EST
Description of problem:
If INIT-ACK is received with SupportedExtensions parameter which indicates that the peer does not support AUTH, the packet will be silently ignore, and sctp_process_init() do cleanup all of the transports in the association. When T1-Init timer is expires, OOPS happen while we try to choose a different init transport.
The solution is to only clean up the non-active transports, i.e the ones that the peer added. However, that introduces a problem with sctp_connectx(), because we don't mark the proper state for the transports provided by the user. So, we'll simply mark user-provided transports as ACTIVE. That will allow INIT retransmissions to work properly in the sctp_connectx() context and prevent the crash.
Proposed upstream patch:
Created attachment 319734 [details]
Proposed backport patch for realtime kernel
kernel-126.96.36.199-49.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
MRG patch added to -90
This was addressed via:
Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)