From: Chris Wright Date: Tue, 9 May 2006 19:40:19 +0000 (-0700) Subject: SCTP fixes for CVE-2006-2271 and CVE-2006-2272 X-Git-Tag: v2.6.16.15~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64f3cccc5440425e2304c836a2dc13527bb83107;p=thirdparty%2Fkernel%2Fstable-queue.git SCTP fixes for CVE-2006-2271 and CVE-2006-2272 --- diff --git a/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch b/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch new file mode 100644 index 00000000000..5a0258f8ec8 --- /dev/null +++ b/releases/2.6.16.15/fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch @@ -0,0 +1,53 @@ +From nobody Mon Sep 17 00:00:00 2001 +From: Sridhar Samudrala +Date: Fri May 5 17:04:43 2006 -0700 +Subject: [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272) + +Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that +are received as skb's with fragment list. + +Signed-off-by: Sridhar Samudrala +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + + net/sctp/sm_statefuns.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- linux-2.6.16.14.orig/net/sctp/sm_statefuns.c ++++ linux-2.6.16.14/net/sctp/sm_statefuns.c +@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co + */ + chunk->subh.cookie_hdr = + (struct sctp_signed_cookie *)chunk->skb->data; +- skb_pull(chunk->skb, +- ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); ++ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - ++ sizeof(sctp_chunkhdr_t))) ++ goto nomem; + + /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint + * "Z" will reply with a COOKIE ACK chunk after building a TCB +@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons + */ + chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; + paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); +- skb_pull(chunk->skb, paylen); ++ if (!pskb_pull(chunk->skb, paylen)) ++ goto nomem; + + reply = sctp_make_heartbeat_ack(asoc, chunk, + chunk->subh.hb_hdr, paylen); +@@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc + * are in good shape. + */ + chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; +- skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - +- sizeof(sctp_chunkhdr_t)); ++ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - ++ sizeof(sctp_chunkhdr_t))) ++ goto nomem; + + /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie + * of a duplicate COOKIE ECHO match the Verification Tags of the diff --git a/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch b/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch new file mode 100644 index 00000000000..f52525c3bf7 --- /dev/null +++ b/releases/2.6.16.15/fix-state-table-entries-for-chunks-received-in-closed-state.patch @@ -0,0 +1,57 @@ +From nobody Mon Sep 17 00:00:00 2001 +From: Sridhar Samudrala +Date: Fri May 5 17:05:23 2006 -0700 +Subject: [PATCH] SCTP: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271) + +Discard an unexpected chunk in CLOSED state rather can calling BUG(). + +Signed-off-by: Sridhar Samudrala +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + + net/sctp/sm_statetable.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- linux-2.6.16.14.orig/net/sctp/sm_statetable.c ++++ linux-2.6.16.14/net/sctp/sm_statetable.c +@@ -366,9 +366,9 @@ const sctp_sm_table_entry_t *sctp_sm_loo + /* SCTP_STATE_EMPTY */ \ + {.fn = sctp_sf_ootb, .name = "sctp_sf_ootb"}, \ + /* SCTP_STATE_CLOSED */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_COOKIE_WAIT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_COOKIE_ECHOED */ \ + {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ + /* SCTP_STATE_ESTABLISHED */ \ +@@ -380,7 +380,7 @@ const sctp_sm_table_entry_t *sctp_sm_loo + /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ + {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ + /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + } /* TYPE_SCTP_ECN_ECNE */ + + #define TYPE_SCTP_ECN_CWR { \ +@@ -401,7 +401,7 @@ const sctp_sm_table_entry_t *sctp_sm_loo + /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ + {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + } /* TYPE_SCTP_ECN_CWR */ + + #define TYPE_SCTP_SHUTDOWN_COMPLETE { \ +@@ -647,7 +647,7 @@ chunk_event_table_unknown[SCTP_STATE_NUM + /* SCTP_STATE_EMPTY */ \ + {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ + /* SCTP_STATE_CLOSED */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_error_closed, .name = "sctp_sf_error_closed"}, \ + /* SCTP_STATE_COOKIE_WAIT */ \ + {.fn = sctp_sf_do_prm_requestheartbeat, \ + .name = "sctp_sf_do_prm_requestheartbeat"}, \ diff --git a/releases/2.6.16.15/series b/releases/2.6.16.15/series new file mode 100644 index 00000000000..e5ca588a671 --- /dev/null +++ b/releases/2.6.16.15/series @@ -0,0 +1,2 @@ +fix-panic-s-when-receiving-fragmented-sctp-control-chunks.patch +fix-state-table-entries-for-chunks-received-in-closed-state.patch