CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
This commit is contained in:
parent
5c3c16ba28
commit
2968963f0b
13
kernel.spec
13
kernel.spec
|
@ -611,9 +611,11 @@ Patch23: linux-2.6-utrace-ptrace.patch
|
|||
|
||||
Patch50: linux-2.6-x86-cfi_sections.patch
|
||||
|
||||
# CVE-2010-3301, CVE-2010-3081
|
||||
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
# CVE-2010-3067
|
||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
Patch144: linux-2.6-vio-modalias.patch
|
||||
|
@ -817,6 +819,9 @@ Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bi
|
|||
Patch12580: xen-handle-events-as-edge-triggered.patch
|
||||
Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||
|
||||
# CVE-2010-3432
|
||||
Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1246,11 +1251,11 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
|
|||
# x86(-64)
|
||||
ApplyPatch linux-2.6-x86-cfi_sections.patch
|
||||
|
||||
# CVE-2010-3301, CVE-2010-3081
|
||||
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
|
||||
|
||||
#
|
||||
# Intel IOMMU
|
||||
#
|
||||
|
@ -1545,6 +1550,9 @@ ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit
|
|||
ApplyPatch xen-handle-events-as-edge-triggered.patch
|
||||
ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||
|
||||
# CVE-2010-3432
|
||||
ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2166,6 +2174,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Sep 30 2010 Chuck Ebbert <cebbert@redhat.com>
|
||||
- CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
|
||||
* Thu Sep 30 2010 Ben Skeggs <bskeggs@redhat.com> 2.6.34.7-59
|
||||
- nouveau: fix theoretical race condition that could be responsible for
|
||||
certain random hangs that have been reported.
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
|
||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
Date: Wed, 15 Sep 2010 10:00:26 -0400
|
||||
Subject: sctp: Do not reset the packet during sctp_packet_config().
|
||||
|
||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
|
||||
commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
|
||||
|
||||
sctp_packet_config() is called when getting the packet ready
|
||||
for appending of chunks. The function should not touch the
|
||||
current state, since it's possible to ping-pong between two
|
||||
transports when sending, and that can result packet corruption
|
||||
followed by skb overlfow crash.
|
||||
|
||||
Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
|
||||
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
net/sctp/output.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
--- a/net/sctp/output.c
|
||||
+++ b/net/sctp/output.c
|
||||
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
|
||||
SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
|
||||
packet, vtag);
|
||||
|
||||
- sctp_packet_reset(packet);
|
||||
packet->vtag = vtag;
|
||||
|
||||
if (ecn_capable && sctp_packet_empty(packet)) {
|
Loading…
Reference in New Issue