--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3569,6 +3569,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3598,6 +3599,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3629,6 +3636,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3658,6 +3666,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3647,6 +3647,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3676,6 +3677,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3707,6 +3714,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3736,6 +3744,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3641,6 +3641,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3670,6 +3671,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3701,6 +3708,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3730,6 +3738,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
projects / openwrt / svn-archive / archive.git / commitdiff