CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)

kernel.spec

@@ -782,6 +782,9 @@ Patch25028: tty-Fix-low_latency-BUG.patch
 #rhbz 1066064
 Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
 
+#CVE-2014-0101 rhbz 1072029 1070705
+Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1510,6 +1513,9 @@ ApplyPatch tty-Fix-low_latency-BUG.patch
 #rhbz 1066064
 ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
 
+#CVE-2014-0101 rhbz 1072029 1070705
+ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2323,6 +2329,7 @@ fi
 
 %changelog
 * Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
 - Fix overly verbose audit logs (rhbz 1066064)
 
 * Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.5-102

net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch

@@ -0,0 +1,21 @@
+Bugzilla: 1072029
+Upstream-status: Submitted http://patchwork.ozlabs.org/patch/325898/
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 591b44d..ae65b6b 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -758,6 +758,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
+ 		struct sctp_chunk auth;
+ 		sctp_ierror_t ret;
+ 
++		/* Make sure that we and the peer are AUTH capable */
++		if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
++			kfree_skb(chunk->auth_chunk);
++			sctp_association_free(new_asoc);
++			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++		}
++
+ 		/* set-up our fake chunk so that we can process it */
+ 		auth.skb = chunk->auth_chunk;
+ 		auth.asoc = chunk->asoc;