--- /dev/null
+From nobody Mon Sep 17 00:00:00 2001
+From: Vladislav Yasevich <vladislav.yasevich@hp.com>
+Date: Fri, 19 May 2006 11:52:20 -0700
+Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)
+
+When performing bound checks during the parameter processing, we
+want to use the real chunk and paramter lengths for bounds instead
+of the rounded ones. This prevents us from potentially walking of
+the end if the chunk length was miscalculated. We still use rounded
+lengths when advancing the pointer. This was found during a
+conformance test that changed the chunk length without modifying
+parameters.
+
+(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
+is parameter dependent).
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/net/sctp/sctp.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
+index e673b2c..aa6033c 100644
+--- linux-2.6.16.16.orig/include/net/sctp/sctp.h
++++ linux-2.6.16.16/include/net/sctp/sctp.h
+@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const
+ * there is room for a param header too.
+ */
+ #define sctp_walk_params(pos, chunk, member)\
+-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
++_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
+
+ #define _sctp_walk_params(pos, chunk, end, member)\
+ for (pos.v = chunk->member;\
+ pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
+- pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
++ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
+ ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
+ pos.v += WORD_ROUND(ntohs(pos.p->length)))
+
+@@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
+ for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
+ sizeof(sctp_chunkhdr_t));\
+ (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
+- (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
++ (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
+ ntohs(err->length) >= sizeof(sctp_errhdr_t); \
+ err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))
+
--- /dev/null
+From nobody Mon Sep 17 00:00:00 2001
+From: Vladislav Yasevich <vladislav.yasevich@hp.com>
+Date: Fri, 19 May 2006 14:25:53 -0700
+Subject: SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857)
+
+If SCTP receives a badly formatted HB-ACK chunk, it is possible
+that we may access invalid memory and potentially have a buffer
+overflow. We should really make sure that the chunk format is
+what we expect, before attempting to touch the data.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/sctp/sm_statefuns.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+a601266e4f3c479790f373c2e3122a766d123652
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 174f7a7..8bc2792 100644
+--- linux-2.6.16.16.orig/net/sctp/sm_statefuns.c
++++ linux-2.6.16.16/net/sctp/sm_statefuns.c
+@@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(
+ commands);
+
+ hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
++ /* Make sure that the length of the parameter is what we expect */
++ if (ntohs(hbinfo->param_hdr.length) !=
++ sizeof(sctp_sender_hb_info_t)) {
++ return SCTP_DISPOSITION_DISCARD;
++ }
++
+ from_addr = hbinfo->daddr;
+ link = sctp_assoc_lookup_paddr(asoc, &from_addr);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
