From: Dan Rosenberg <drosenberg@vsecurity.com>
To: vladislav.yasevich@hp.com, sri@us.ibm.com
Cc: linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org, stable@kernel.org, netdev@vger.kernel.org
Subject: [PATCH] Fix out-of-bounds reading in sctp_asoc_get_hmac()
Date: Fri, 01 Oct 2010 21:51:47 +0000 [thread overview]
Message-ID: <1285969907.2814.49.camel@Dan> (raw)
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
array and attempts to ensure that only a supported hmac entry is
returned. The current code fails to do this properly - if the last id
in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
id integer remains set after exiting the loop, and the address of an
out-of-bounds entry will be returned and subsequently used in the parent
function, causing potentially ugly memory corruption. This patch resets
the id integer to 0 on encountering an invalid id so that NULL will be
returned after finishing the loop if no valid ids are found.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
--- linux-2.6.35.5.orig/net/sctp/auth.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/net/sctp/auth.c 2010-10-01 16:48:58.000000000 -0400
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
id = ntohs(hmacs->hmac_ids[i]);
/* Check the id is in the supported range */
- if (id > SCTP_AUTH_HMAC_ID_MAX)
+ if (id > SCTP_AUTH_HMAC_ID_MAX) {
+ id = 0;
continue;
+ }
/* See is we support the id. Supported IDs have name and
* length fields set, so that we can allocated and use
* them. We can safely just check for name, for without the
* name, we can't allocate the TFM.
*/
- if (!sctp_hmac_list[id].hmac_name)
+ if (!sctp_hmac_list[id].hmac_name) {
+ id = 0;
continue;
+ }
break;
}
WARNING: multiple messages have this Message-ID (diff)
From: Dan Rosenberg <drosenberg@vsecurity.com>
To: vladislav.yasevich@hp.com, sri@us.ibm.com
Cc: linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org, stable@kernel.org, netdev@vger.kernel.org
Subject: [PATCH] Fix out-of-bounds reading in sctp_asoc_get_hmac()
Date: Fri, 01 Oct 2010 17:51:47 -0400 [thread overview]
Message-ID: <1285969907.2814.49.camel@Dan> (raw)
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
array and attempts to ensure that only a supported hmac entry is
returned. The current code fails to do this properly - if the last id
in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
id integer remains set after exiting the loop, and the address of an
out-of-bounds entry will be returned and subsequently used in the parent
function, causing potentially ugly memory corruption. This patch resets
the id integer to 0 on encountering an invalid id so that NULL will be
returned after finishing the loop if no valid ids are found.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
--- linux-2.6.35.5.orig/net/sctp/auth.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/net/sctp/auth.c 2010-10-01 16:48:58.000000000 -0400
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
id = ntohs(hmacs->hmac_ids[i]);
/* Check the id is in the supported range */
- if (id > SCTP_AUTH_HMAC_ID_MAX)
+ if (id > SCTP_AUTH_HMAC_ID_MAX) {
+ id = 0;
continue;
+ }
/* See is we support the id. Supported IDs have name and
* length fields set, so that we can allocated and use
* them. We can safely just check for name, for without the
* name, we can't allocate the TFM.
*/
- if (!sctp_hmac_list[id].hmac_name)
+ if (!sctp_hmac_list[id].hmac_name) {
+ id = 0;
continue;
+ }
break;
}
next reply other threads:[~2010-10-01 21:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-01 21:51 Dan Rosenberg [this message]
2010-10-01 21:51 ` [PATCH] Fix out-of-bounds reading in sctp_asoc_get_hmac() Dan Rosenberg
2010-10-01 22:13 ` Vlad Yasevich
2010-10-01 22:13 ` Vlad Yasevich
2010-10-04 5:00 ` David Miller
2010-10-04 5:00 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1285969907.2814.49.camel@Dan \
--to=drosenberg@vsecurity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=sri@us.ibm.com \
--cc=stable@kernel.org \
--cc=vladislav.yasevich@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.