diff for duplicates of <4BD83F85.8090308@hp.com> diff --git a/a/1.txt b/N1/1.txt index 72ddb06..101056e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -33,7 +33,7 @@ Neil Horman wrote: > <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 > <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 > <5> ds: 007b es: 007b ss: 0068 -> <5> Process swapper (pid: 0, threadinfoÀ40f000 taskÀ370be0) +> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) > <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 > e0c2947d > <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 @@ -72,7 +72,7 @@ Neil Horman wrote: > which too many of its variable length parameters are in some way malformed. > > The problem is in sctp_process_unk_param: -> if (NULL = *errp) +> if (NULL == *errp) > *errp = sctp_make_op_error_space(asoc, chunk, > ntohs(chunk->chunk_hdr->length)); > @@ -92,7 +92,7 @@ Neil Horman wrote: > > The result of this error is that a deliberately malformed packet sent to a > listening host can cause a remote DOS, described in CVE-2010-1173: -> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173 +> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 > > I've tested the below fix and confirmed that it fixes the issue. It > pre-allocates the error chunk in sctp_verify_init, where we are able to count @@ -120,10 +120,10 @@ Neil Horman wrote: > + unsigned int len; > > /* Verify stream values are non-zero. */ -> if ((0 = peer_init->init_hdr.num_outbound_streams) || +> if ((0 == peer_init->init_hdr.num_outbound_streams) || > @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc, > -> if (SCTP_PARAM_STATE_COOKIE = param.p->type) +> if (SCTP_PARAM_STATE_COOKIE == param.p->type) > has_cookie = 1; > + param_cnt++; > @@ -158,9 +158,9 @@ Neil Horman wrote: > case SCTP_IERROR_ERROR: > - return 1; > + len = ntohs((*errp)->chunk_hdr->length); -> + if ((*errp) && (len = sizeof(sctp_chunkhdr_t))) +> + if ((*errp) && (len == sizeof(sctp_chunkhdr_t))) > + sctp_chunk_free(*errp); -> + return (result = SCTP_IERROR_ERROR) ? 1 : 0; +> + return (result == SCTP_IERROR_ERROR) ? 1 : 0; > case SCTP_IERROR_NO_ERROR: > default: > break; diff --git a/a/content_digest b/N1/content_digest index 4065b46..9297574 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,7 +1,7 @@ "ref\020100428134748.GA4818@hmsreliant.think-freely.org\0" "From\0Vlad Yasevich <vladislav.yasevich@hp.com>\0" - "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid\0" - "Date\0Wed, 28 Apr 2010 14:00:37 +0000\0" + "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173)\0" + "Date\0Wed, 28 Apr 2010 10:00:37 -0400\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0sri@us.ibm.com" linux-sctp@vger.kernel.org @@ -46,7 +46,7 @@ "> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44\n" "> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40\n" "> <5> ds: 007b es: 007b ss: 0068\n" - "> <5> Process swapper (pid: 0, threadinfo\303\20040f000 task\303\200370be0)\n" + "> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)\n" "> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180\n" "> e0c2947d \n" "> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004\n" @@ -85,7 +85,7 @@ "> which too many of its variable length parameters are in some way malformed.\n" "> \n" "> The problem is in sctp_process_unk_param:\n" - "> if (NULL = *errp)\n" + "> if (NULL == *errp)\n" "> \t*errp = sctp_make_op_error_space(asoc, chunk,\n" "> \t\t\t\t\t ntohs(chunk->chunk_hdr->length));\n" "> \n" @@ -105,7 +105,7 @@ "> \n" "> The result of this error is that a deliberately malformed packet sent to a\n" "> listening host can cause a remote DOS, described in CVE-2010-1173:\n" - "> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173\n" + "> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173\n" "> \n" "> I've tested the below fix and confirmed that it fixes the issue. It\n" "> pre-allocates the error chunk in sctp_verify_init, where we are able to count\n" @@ -133,10 +133,10 @@ "> +\tunsigned int len;\n" "> \n" "> \t/* Verify stream values are non-zero. */\n" - "> \tif ((0 = peer_init->init_hdr.num_outbound_streams) ||\n" + "> \tif ((0 == peer_init->init_hdr.num_outbound_streams) ||\n" "> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc,\n" "> \n" - "> \t\tif (SCTP_PARAM_STATE_COOKIE = param.p->type)\n" + "> \t\tif (SCTP_PARAM_STATE_COOKIE == param.p->type)\n" "> \t\t\thas_cookie = 1;\n" "> +\t\tparam_cnt++;\n" "> \n" @@ -171,9 +171,9 @@ "> \t\t case SCTP_IERROR_ERROR:\n" "> -\t\t\t\treturn 1;\n" "> +\t\t\t\tlen = ntohs((*errp)->chunk_hdr->length);\n" - "> +\t\t\t\tif ((*errp) && (len = sizeof(sctp_chunkhdr_t)))\n" + "> +\t\t\t\tif ((*errp) && (len == sizeof(sctp_chunkhdr_t)))\n" "> +\t\t\t\t\tsctp_chunk_free(*errp);\n" - "> +\t\t\t\treturn (result = SCTP_IERROR_ERROR) ? 1 : 0;\n" + "> +\t\t\t\treturn (result == SCTP_IERROR_ERROR) ? 1 : 0;\n" "> \t\t case SCTP_IERROR_NO_ERROR:\n" "> \t\t default:\n" "> \t\t\t\tbreak;\n" @@ -191,4 +191,4 @@ "> More majordomo info at http://vger.kernel.org/majordomo-info.html\n" > -26ee19c1e75c75348f46b1901093fe6377eef0e447eb75a21de7bfe741c6393a +48abe0d63c973367d3e17546bce7f3d38014875839acd9d26e9e11b36565a586
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.