Description of problem: Eugene Teo reported that the number of HMAC identifiers need to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it does not exceed the bounds of the array. However, this does not have a security consequence as it is saved by a couple of conditions in the sctp_auth_ep_set_hmacs routine. Reference: 8.1.19. Get or set the list of supported HMAC Identifiers (SCTP_HMAC_IDENT) http://ietfreport.isoc.org/idref/draft-ietf-tsvwg-sctpsocket/ Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de It depends on bug #459956.
(In reply to comment #0) [...] > Proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de
(In reply to comment #0) > Description of problem: > Eugene Teo reported that the number of HMAC identifiers need to be checked > against the option length. Also, the identifier index provided needs to be > verified to make sure that it does not exceed the bounds of the array. However, > this does not have a security consequence as it is saved by a couple of > conditions in the sctp_auth_ep_set_hmacs routine. Not really. This could result in a possible information disclosure via sctp_getsockopt_hmac_ident().
This was addressed via: MRG Realtime for RHEL 5 Server (RHSA-2008:0857)