CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
This commit is contained in:
parent
31ece0102d
commit
2c7b199d8c
|
@ -883,6 +883,8 @@ Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
|||
Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||
# CVE-2010-3698
|
||||
Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1691,6 +1693,8 @@ ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
|||
ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||
# CVE-2010-3698
|
||||
ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2317,6 +2321,7 @@ fi
|
|||
- CVE-2010-2962: arbitrary kernel memory write via i915 GEM ioctl
|
||||
- CVE-2010-2963: v4l: VIDIOCSMICROCODE arbitrary write
|
||||
- CVE-2010-3698: kvm: invalid selector in fs/gs causes kernel panic
|
||||
- CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
|
||||
|
||||
* Thu Dec 09 2010 Kyle McMartin <kyle@redhat.com>
|
||||
- ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Fri, 1 Oct 2010 11:51:47 +0000 (+0000)
|
||||
Subject: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
|
||||
X-Git-Tag: v2.6.36-rc8~2^2~25
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
|
||||
|
||||
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
|
||||
|
||||
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
|
||||
array and attempts to ensure that only a supported hmac entry is
|
||||
returned. The current code fails to do this properly - if the last id
|
||||
in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
|
||||
id integer remains set after exiting the loop, and the address of an
|
||||
out-of-bounds entry will be returned and subsequently used in the parent
|
||||
function, causing potentially ugly memory corruption. This patch resets
|
||||
the id integer to 0 on encountering an invalid id so that NULL will be
|
||||
returned after finishing the loop if no valid ids are found.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
|
||||
index 8636639..ddbbf7c 100644
|
||||
--- a/net/sctp/auth.c
|
||||
+++ b/net/sctp/auth.c
|
||||
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
|
||||
id = ntohs(hmacs->hmac_ids[i]);
|
||||
|
||||
/* Check the id is in the supported range */
|
||||
- if (id > SCTP_AUTH_HMAC_ID_MAX)
|
||||
+ if (id > SCTP_AUTH_HMAC_ID_MAX) {
|
||||
+ id = 0;
|
||||
continue;
|
||||
+ }
|
||||
|
||||
/* See is we support the id. Supported IDs have name and
|
||||
* length fields set, so that we can allocated and use
|
||||
* them. We can safely just check for name, for without the
|
||||
* name, we can't allocate the TFM.
|
||||
*/
|
||||
- if (!sctp_hmac_list[id].hmac_name)
|
||||
+ if (!sctp_hmac_list[id].hmac_name) {
|
||||
+ id = 0;
|
||||
continue;
|
||||
+ }
|
||||
|
||||
break;
|
||||
}
|
Loading…
Reference in New Issue