[kernel] r6625 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sat May 20 05:30:45 UTC 2006 

Author: dannf
Date: Sat May 20 05:30:42 2006
New Revision: 6625

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/216_sctp-fragmented-receive-fix.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 216_sctp-fragmented-receive-fix.diff
  [SECURITY] Fix remote DoS vulnerability that allows IP fragmented
  COOKIE_ECHO and HEARTBEAT SCTP control chunks to cause a kernel panic
  See CVE-2006-2272

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat May 20 05:30:42 2006
@@ -35,8 +35,12 @@
     [SECURITY] Fix remote DoS vulnerability that can lead to infinite recursion
     when a packet containing two or more DATA fragments is received
     See CVE-2006-2274
+  * 216_sctp-fragmented-receive-fix.diff
+    [SECURITY] Fix remote DoS vulnerability that allows IP fragmented
+    COOKIE_ECHO and HEARTBEAT SCTP control chunks to cause a kernel panic
+    See CVE-2006-2272
 
- -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 00:25:01 -0500
+ -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 00:28:53 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/216_sctp-fragmented-receive-fix.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/216_sctp-fragmented-receive-fix.diff	Sat May 20 05:30:42 2006
@@ -0,0 +1,55 @@
+Applies to both Sarge 2.4.27 and 2.6.8. 
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 40885c13b394cd1b74acc196f1d7990a3e0a484d (from bf7d8bacaaf241a0f0157986fd4e1e6834873d50)
+Author: Sridhar Samudrala <sri at us.ibm.com>
+Date:   Fri May 5 17:04:43 2006 -0700
+
+    [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)
+    
+    Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
+    are received as skb's with fragment list.
+    
+    Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 2b9a832..db2c0e7 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co
+ 	 */
+         chunk->subh.cookie_hdr =
+ 		(struct sctp_signed_cookie *)chunk->skb->data;
+-	skb_pull(chunk->skb,
+-		 ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t));
++	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
++					 sizeof(sctp_chunkhdr_t)))
++		goto nomem;
+ 
+ 	/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
+ 	 * "Z" will reply with a COOKIE ACK chunk after building a TCB
+@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons
+ 	 */
+ 	chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
+ 	paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
+-	skb_pull(chunk->skb, paylen);
++	if (!pskb_pull(chunk->skb, paylen))
++		goto nomem;
+ 
+ 	reply = sctp_make_heartbeat_ack(asoc, chunk,
+ 					chunk->subh.hb_hdr, paylen);
+@@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc
+ 	 * are in good shape.
+ 	 */
+         chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
+-	skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
+-		 sizeof(sctp_chunkhdr_t));
++	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
++					sizeof(sctp_chunkhdr_t)))
++		goto nomem;
+ 
+ 	/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
+ 	 * of a duplicate COOKIE ECHO match the Verification Tags of the

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Sat May 20 05:30:42 2006
@@ -7,3 +7,4 @@
 + 213_madvise_remove-restrict.diff
 + 214_mcast-ip-route-null-deref.diff
 + 215_sctp-fragment-recurse.diff
++ 216_sctp-fragmented-receive-fix.diff

More information about the Kernel-svn-changes mailing list