CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
This commit is contained in:
parent
e03ee0de7f
commit
ec9e0da519
|
@ -782,6 +782,9 @@ Patch25028: tty-Fix-low_latency-BUG.patch
|
|||
#rhbz 1066064
|
||||
Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
|
||||
|
||||
#CVE-2014-0101 rhbz 1072029 1070705
|
||||
Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1510,6 +1513,9 @@ ApplyPatch tty-Fix-low_latency-BUG.patch
|
|||
#rhbz 1066064
|
||||
ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
|
||||
|
||||
#CVE-2014-0101 rhbz 1072029 1070705
|
||||
ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2323,6 +2329,7 @@ fi
|
|||
|
||||
%changelog
|
||||
* Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
|
||||
- Fix overly verbose audit logs (rhbz 1066064)
|
||||
|
||||
* Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.5-102
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
Bugzilla: 1072029
|
||||
Upstream-status: Submitted http://patchwork.ozlabs.org/patch/325898/
|
||||
|
||||
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
|
||||
index 591b44d..ae65b6b 100644
|
||||
--- a/net/sctp/sm_statefuns.c
|
||||
+++ b/net/sctp/sm_statefuns.c
|
||||
@@ -758,6 +758,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
|
||||
struct sctp_chunk auth;
|
||||
sctp_ierror_t ret;
|
||||
|
||||
+ /* Make sure that we and the peer are AUTH capable */
|
||||
+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
|
||||
+ kfree_skb(chunk->auth_chunk);
|
||||
+ sctp_association_free(new_asoc);
|
||||
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
+ }
|
||||
+
|
||||
/* set-up our fake chunk so that we can process it */
|
||||
auth.skb = chunk->auth_chunk;
|
||||
auth.asoc = chunk->asoc;
|
Loading…
Reference in New Issue