From: Chris Wright <chrisw@sous-sol.org>
Date: Sat, 20 May 2006 21:23:31 +0000 (-0700)
Subject: Two more SCTP security bugs
X-Git-Tag: v2.6.16.17~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b03bbe701c79997ff3499947ca88c73bd783ca48;p=thirdparty%2Fkernel%2Fstable-queue.git

Two more SCTP security bugs
---

diff --git a/review-2.6.16/sctp-respect-the-real-chunk-length-when-walking-parameters.patch b/review-2.6.16/sctp-respect-the-real-chunk-length-when-walking-parameters.patch
new file mode 100644
index 00000000000..2c8ee4c0a02
--- /dev/null
+++ b/review-2.6.16/sctp-respect-the-real-chunk-length-when-walking-parameters.patch
@@ -0,0 +1,53 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Vladislav Yasevich <vladislav.yasevich@hp.com>
+Date: Fri, 19 May 2006 11:52:20 -0700
+Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)
+
+When performing bound checks during the parameter processing, we
+want to use the real chunk and paramter lengths for bounds instead
+of the rounded ones.  This prevents us from potentially walking of
+the end if the chunk length was miscalculated.  We still use rounded
+lengths when advancing the pointer. This was found during a
+conformance test that changed the chunk length without modifying
+parameters.
+
+(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
+is parameter dependent).
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/net/sctp/sctp.h |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
+index e673b2c..aa6033c 100644
+--- linux-2.6.16.16.orig/include/net/sctp/sctp.h
++++ linux-2.6.16.16/include/net/sctp/sctp.h
+@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const 
+  * there is room for a param header too.
+  */
+ #define sctp_walk_params(pos, chunk, member)\
+-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
++_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
+ 
+ #define _sctp_walk_params(pos, chunk, end, member)\
+ for (pos.v = chunk->member;\
+      pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
+-     pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
++     pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
+      ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
+      pos.v += WORD_ROUND(ntohs(pos.p->length)))
+ 
+@@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
+ for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
+ 	    sizeof(sctp_chunkhdr_t));\
+      (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
+-     (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
++     (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
+      ntohs(err->length) >= sizeof(sctp_errhdr_t); \
+      err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))
+ 
diff --git a/review-2.6.16/sctp-validate-the-parameter-length-in-hb-ack-chunk.patch b/review-2.6.16/sctp-validate-the-parameter-length-in-hb-ack-chunk.patch
new file mode 100644
index 00000000000..aa0362f6e15
--- /dev/null
+++ b/review-2.6.16/sctp-validate-the-parameter-length-in-hb-ack-chunk.patch
@@ -0,0 +1,37 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Vladislav Yasevich <vladislav.yasevich@hp.com>
+Date: Fri, 19 May 2006 14:25:53 -0700
+Subject: SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857)
+
+If SCTP receives a badly formatted HB-ACK chunk, it is possible
+that we may access invalid memory and potentially have a buffer
+overflow.  We should really make sure that the chunk format is
+what we expect, before attempting to touch the data.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/sctp/sm_statefuns.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+a601266e4f3c479790f373c2e3122a766d123652
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 174f7a7..8bc2792 100644
+--- linux-2.6.16.16.orig/net/sctp/sm_statefuns.c
++++ linux-2.6.16.16/net/sctp/sm_statefuns.c
+@@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(
+ 						  commands);
+ 
+ 	hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
++	/* Make sure that the length of the parameter is what we expect */
++	if (ntohs(hbinfo->param_hdr.length) !=
++				    sizeof(sctp_sender_hb_info_t)) {
++		return SCTP_DISPOSITION_DISCARD;
++	}
++
+ 	from_addr = hbinfo->daddr;
+ 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
+ 
diff --git a/review-2.6.16/series b/review-2.6.16/series
index 3669d5d6f1c..18df0014090 100644
--- a/review-2.6.16/series
+++ b/review-2.6.16/series
@@ -19,3 +19,5 @@ add-migratepage-address-space-op-to-shmem.patch
 page-migration-Fix-fallback-behavior-for-dirty-pages.patch
 fix-ptrace_attach-ptrace_traceme-de_thread-race.patch
 ptrace_attach-fix-possible-deadlock-schenario-with-irqs.patch
+sctp-respect-the-real-chunk-length-when-walking-parameters.patch
+sctp-validate-the-parameter-length-in-hb-ack-chunk.patch