[thirdparty/kernel/stable-queue.git] / releases / 2.6.16.17 / sctp-respect-the-real-chunk-length-when-walking-parameters.patch

From nobody Mon Sep 17 00:00:00 2001
From: Vladislav Yasevich <vladislav.yasevich@hp.com>
Date: Fri, 19 May 2006 11:52:20 -0700
Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)

When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones.  This prevents us from potentially walking of
the end if the chunk length was miscalculated.  We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying
parameters.

(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
is parameter dependent).

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 include/net/sctp/sctp.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index e673b2c..aa6033c 100644
--- linux-2.6.16.16.orig/include/net/sctp/sctp.h
+++ linux-2.6.16.16/include/net/sctp/sctp.h
@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const 
  * there is room for a param header too.
  */
 #define sctp_walk_params(pos, chunk, member)\
-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
+_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
 
 #define _sctp_walk_params(pos, chunk, end, member)\
 for (pos.v = chunk->member;\
      pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
-     pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
+     pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
      ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
      pos.v += WORD_ROUND(ntohs(pos.p->length)))
 
@@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
 for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
 	    sizeof(sctp_chunkhdr_t));\
      (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
-     (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
+     (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
      ntohs(err->length) >= sizeof(sctp_errhdr_t); \
      err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))
Commit	Line	Data
b03bbe70 CW	1	From nobody Mon Sep 17 00:00:00 2001
	2	From: Vladislav Yasevich <vladislav.yasevich@hp.com>
	3	Date: Fri, 19 May 2006 11:52:20 -0700
	4	Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)
	5
	6	When performing bound checks during the parameter processing, we
	7	want to use the real chunk and paramter lengths for bounds instead
	8	of the rounded ones. This prevents us from potentially walking of
	9	the end if the chunk length was miscalculated. We still use rounded
	10	lengths when advancing the pointer. This was found during a
	11	conformance test that changed the chunk length without modifying
	12	parameters.
	13
	14	(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
	15	is parameter dependent).
	16
	17	Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
	18	Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
	19	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	20	---
	21
	22	include/net/sctp/sctp.h \| 6 +++---
	23	1 file changed, 3 insertions(+), 3 deletions(-)
	24
	25	dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
	26	diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
	27	index e673b2c..aa6033c 100644
	28	--- linux-2.6.16.16.orig/include/net/sctp/sctp.h
	29	+++ linux-2.6.16.16/include/net/sctp/sctp.h
	30	@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const
	31	* there is room for a param header too.
	32	*/
	33	#define sctp_walk_params(pos, chunk, member)\
	34	-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
	35	+_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
	36
	37	#define _sctp_walk_params(pos, chunk, end, member)\
	38	for (pos.v = chunk->member;\
	39	pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
	40	- pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
	41	+ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
	42	ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
	43	pos.v += WORD_ROUND(ntohs(pos.p->length)))
	44
	45	@@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
	46	for (err = (sctp_errhdr_t )((void )chunk_hdr + \
	47	sizeof(sctp_chunkhdr_t));\
	48	(void )err <= (void )chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
	49	- (void )err <= (void )chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
	50	+ (void )err <= (void )chunk_hdr + end - ntohs(err->length) &&\
	51	ntohs(err->length) >= sizeof(sctp_errhdr_t); \
	52	err = (sctp_errhdr_t )((void )err + WORD_ROUND(ntohs(err->length))))
	53