]>
Commit | Line | Data |
---|---|---|
b03bbe70 CW |
1 | From nobody Mon Sep 17 00:00:00 2001 |
2 | From: Vladislav Yasevich <vladislav.yasevich@hp.com> | |
3 | Date: Fri, 19 May 2006 11:52:20 -0700 | |
4 | Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858) | |
5 | ||
6 | When performing bound checks during the parameter processing, we | |
7 | want to use the real chunk and paramter lengths for bounds instead | |
8 | of the rounded ones. This prevents us from potentially walking of | |
9 | the end if the chunk length was miscalculated. We still use rounded | |
10 | lengths when advancing the pointer. This was found during a | |
11 | conformance test that changed the chunk length without modifying | |
12 | parameters. | |
13 | ||
14 | (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem | |
15 | is parameter dependent). | |
16 | ||
17 | Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> | |
18 | Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> | |
19 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | |
20 | --- | |
21 | ||
22 | include/net/sctp/sctp.h | 6 +++--- | |
23 | 1 file changed, 3 insertions(+), 3 deletions(-) | |
24 | ||
25 | dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 | |
26 | diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h | |
27 | index e673b2c..aa6033c 100644 | |
28 | --- linux-2.6.16.16.orig/include/net/sctp/sctp.h | |
29 | +++ linux-2.6.16.16/include/net/sctp/sctp.h | |
30 | @@ -461,12 +461,12 @@ static inline int sctp_frag_point(const | |
31 | * there is room for a param header too. | |
32 | */ | |
33 | #define sctp_walk_params(pos, chunk, member)\ | |
34 | -_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member) | |
35 | +_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) | |
36 | ||
37 | #define _sctp_walk_params(pos, chunk, end, member)\ | |
38 | for (pos.v = chunk->member;\ | |
39 | pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\ | |
40 | - pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\ | |
41 | + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ | |
42 | ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ | |
43 | pos.v += WORD_ROUND(ntohs(pos.p->length))) | |
44 | ||
45 | @@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt | |
46 | for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ | |
47 | sizeof(sctp_chunkhdr_t));\ | |
48 | (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\ | |
49 | - (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\ | |
50 | + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ | |
51 | ntohs(err->length) >= sizeof(sctp_errhdr_t); \ | |
52 | err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) | |
53 |