[kernel] r6653 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sat May 20 16:59:37 UTC 2006 

Author: dannf
Date: Sat May 20 16:59:36 2006
New Revision: 6653

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/220_sctp-param-bound-checks.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 220_sctp-param-bound-checks.diff
  [SECURITY] Fix a bound checking error (remote DoS) in the SCTP parameter
  checking code
  See CVE-2006-1858

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat May 20 16:59:36 2006
@@ -53,8 +53,12 @@
     [SECURITY] Fix a remote buffer overflow that can result from a badly
     formatted HB-ACK chunk
     See CVE-2006-1857
+  * 220_sctp-param-bound-checks.diff
+    [SECURITY] Fix a bound checking error (remote DoS) in the SCTP parameter
+    checking code
+    See CVE-2006-1858
 
- -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 11:33:14 -0500
+ -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 11:54:19 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/220_sctp-param-bound-checks.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/220_sctp-param-bound-checks.diff	Sat May 20 16:59:36 2006
@@ -0,0 +1,48 @@
+From: Vladislav Yasevich <vladislav.yasevich at hp.com>
+Date: Fri, 19 May 2006 18:52:20 +0000 (-0700)
+Subject: [SCTP]: Respect the real chunk length when walking parameters.
+X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
+
+[SCTP]: Respect the real chunk length when walking parameters.
+
+When performing bound checks during the parameter processing, we
+want to use the real chunk and paramter lengths for bounds instead
+of the rounded ones.  This prevents us from potentially walking of
+the end if the chunk length was miscalculated.  We still use rounded
+lengths when advancing the pointer. This was found during a
+conformance test that changed the chunk length without modifying
+parameters.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+---
+
+# backported to Debian's 2.4.27 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.4.27.orig/include/net/sctp/sctp.h kernel-source-2.4.27/include/net/sctp/sctp.h
+--- kernel-source-2.4.27.orig/include/net/sctp/sctp.h	2004-08-07 18:26:06.000000000 -0500
++++ kernel-source-2.4.27/include/net/sctp/sctp.h	2006-05-20 11:45:09.261403000 -0500
+@@ -472,12 +472,12 @@
+  * there is room for a param header too.
+  */
+ #define sctp_walk_params(pos, chunk, member)\
+-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
++_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
+ 
+ #define _sctp_walk_params(pos, chunk, end, member)\
+ for (pos.v = chunk->member;\
+      pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
+-     pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)); \
++     pos.v <= (void *)chunk + end - ntohs(pos.p->length); \
+      pos.v += WORD_ROUND(ntohs(pos.p->length)))
+ 
+ #define sctp_walk_errors(err, chunk_hdr)\
+@@ -488,7 +488,7 @@
+ 	    sizeof(sctp_chunkhdr_t));\
+      (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
+      (void *)err <= (void *)chunk_hdr + end - \
+-		    WORD_ROUND(ntohs(err->length));\
++		    ntohs(err->length);\
+      err = (sctp_errhdr_t *)((void *)err + \
+ 	    WORD_ROUND(ntohs(err->length))))
+ 

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Sat May 20 16:59:36 2006
@@ -11,3 +11,4 @@
 + 217_amd64-fp-reg-leak.diff
 + 218_do_add_counters-race.diff
 + 219_sctp-hb-ack-overflow.diff
++ 220_sctp-param-bound-checks.diff

More information about the Kernel-svn-changes mailing list