SCTP fixes for CVE-2006-2271 and CVE-2006-2272

diff --git a/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch b/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch
new file mode 100644 (file)
index 0000000..5a0258f
--- /dev/null
+++ b/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch
@@ -0,0 +1,53 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Sridhar Samudrala <sri@us.ibm.com>
+Date: Fri May 5 17:04:43 2006 -0700
+Subject: [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)
+
+Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
+are received as skb's with fragment list.
+
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/sctp/sm_statefuns.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- linux-2.6.16.14.orig/net/sctp/sm_statefuns.c
++++ linux-2.6.16.14/net/sctp/sm_statefuns.c
+@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co
+        */
+         chunk->subh.cookie_hdr =
+               (struct sctp_signed_cookie *)chunk->skb->data;
+-      skb_pull(chunk->skb,
+-               ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t));
++      if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
++                                       sizeof(sctp_chunkhdr_t)))
++              goto nomem;
+ 
+       /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
+        * "Z" will reply with a COOKIE ACK chunk after building a TCB
+@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons
+        */
+       chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
+       paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
+-      skb_pull(chunk->skb, paylen);
++      if (!pskb_pull(chunk->skb, paylen))
++              goto nomem;
+ 
+       reply = sctp_make_heartbeat_ack(asoc, chunk,
+                                       chunk->subh.hb_hdr, paylen);
+@@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc
+        * are in good shape.
+        */
+         chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
+-      skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
+-               sizeof(sctp_chunkhdr_t));
++      if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
++                                      sizeof(sctp_chunkhdr_t)))
++              goto nomem;
+ 
+       /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
+        * of a duplicate COOKIE ECHO match the Verification Tags of the

diff --git a/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch b/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch
new file mode 100644 (file)
index 0000000..f52525c
--- /dev/null
+++ b/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch
@@ -0,0 +1,57 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Sridhar Samudrala <sri@us.ibm.com>
+Date: Fri May 5 17:05:23 2006 -0700
+Subject: [PATCH] SCTP: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)
+
+Discard an unexpected chunk in CLOSED state rather can calling BUG().
+
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/sctp/sm_statetable.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- linux-2.6.16.14.orig/net/sctp/sm_statetable.c
++++ linux-2.6.16.14/net/sctp/sm_statetable.c
+@@ -366,9 +366,9 @@ const sctp_sm_table_entry_t *sctp_sm_loo
+       /* SCTP_STATE_EMPTY */ \
+       {.fn = sctp_sf_ootb, .name = "sctp_sf_ootb"}, \
+       /* SCTP_STATE_CLOSED */ \
+-      {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
++      {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
+       /* SCTP_STATE_COOKIE_WAIT */ \
+-      {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
++      {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
+       /* SCTP_STATE_COOKIE_ECHOED */ \
+       {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \
+       /* SCTP_STATE_ESTABLISHED */ \
+@@ -380,7 +380,7 @@ const sctp_sm_table_entry_t *sctp_sm_loo
+       /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
+       {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \
+       /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \
+-      {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
++      {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
+ } /* TYPE_SCTP_ECN_ECNE */
+ 
+ #define TYPE_SCTP_ECN_CWR { \
+@@ -401,7 +401,7 @@ const sctp_sm_table_entry_t *sctp_sm_loo
+       /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
+       {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
+       /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \
+-      {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
++      {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
+ } /* TYPE_SCTP_ECN_CWR */
+ 
+ #define TYPE_SCTP_SHUTDOWN_COMPLETE { \
+@@ -647,7 +647,7 @@ chunk_event_table_unknown[SCTP_STATE_NUM
+       /* SCTP_STATE_EMPTY */ \
+       {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+       /* SCTP_STATE_CLOSED */ \
+-      {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
++      {.fn = sctp_sf_error_closed, .name = "sctp_sf_error_closed"}, \
+       /* SCTP_STATE_COOKIE_WAIT */ \
+       {.fn = sctp_sf_do_prm_requestheartbeat,               \
+        .name = "sctp_sf_do_prm_requestheartbeat"},          \

diff --git a/releases/2.6.16.15/series b/releases/2.6.16.15/series
new file mode 100644 (file)
index 0000000..e5ca588
--- /dev/null
+++ b/releases/2.6.16.15/series
@@ -0,0 +1,2 @@
+fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch
+fix-state-table-entries-for-chunks-received-in-closed-state.patch