fix Linux kernel memory overflow in sctp (closes: #4913)
authorNicolas Thill <nico@openwrt.org>
Fri, 10 Apr 2009 12:05:15 +0000 (12:05 +0000)
committerNicolas Thill <nico@openwrt.org>
Fri, 10 Apr 2009 12:05:15 +0000 (12:05 +0000)
SVN-Revision: 15191

target/linux/generic-2.6/patches-2.6.24/992-cve-2009-0065.patch [new file with mode: 0644]
target/linux/generic-2.6/patches-2.6.25/992-cve-2009-0065.patch [new file with mode: 0644]
target/linux/generic-2.6/patches-2.6.26/992-cve-2009-0065.patch [new file with mode: 0644]

diff --git a/target/linux/generic-2.6/patches-2.6.24/992-cve-2009-0065.patch b/target/linux/generic-2.6/patches-2.6.24/992-cve-2009-0065.patch
new file mode 100644 (file)
index 0000000..1bcf038
--- /dev/null
@@ -0,0 +1,46 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3569,6 +3569,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3598,6 +3599,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto discard_noforce;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto discard_noforce;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3629,6 +3636,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3658,6 +3666,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto gen_shutdown;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto gen_shutdown;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
diff --git a/target/linux/generic-2.6/patches-2.6.25/992-cve-2009-0065.patch b/target/linux/generic-2.6/patches-2.6.25/992-cve-2009-0065.patch
new file mode 100644 (file)
index 0000000..f49e2bb
--- /dev/null
@@ -0,0 +1,46 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3647,6 +3647,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3676,6 +3677,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto discard_noforce;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto discard_noforce;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3707,6 +3714,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3736,6 +3744,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto gen_shutdown;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto gen_shutdown;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
diff --git a/target/linux/generic-2.6/patches-2.6.26/992-cve-2009-0065.patch b/target/linux/generic-2.6/patches-2.6.26/992-cve-2009-0065.patch
new file mode 100644 (file)
index 0000000..11f1e73
--- /dev/null
@@ -0,0 +1,46 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3641,6 +3641,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3670,6 +3671,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto discard_noforce;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto discard_noforce;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3701,6 +3708,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+       struct sctp_chunk *chunk = arg;
+       struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++      struct sctp_fwdtsn_skip *skip;
+       __u16 len;
+       __u32 tsn;
+@@ -3730,6 +3738,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+       if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+               goto gen_shutdown;
++      /* Silently discard the chunk if stream-id is not valid */
++      sctp_walk_fwdtsn(skip, chunk) {
++              if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++                      goto gen_shutdown;
++      }
++
+       sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+       if (len > sizeof(struct sctp_fwdtsn_hdr))
+               sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,