diff for duplicates of <4BD8438C.8030502@hp.com> diff --git a/a/1.txt b/N1/1.txt index d5d94cb..626b8fd 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -40,7 +40,7 @@ Scratch that. I totally misread the description and the patch. >> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 >> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 >> <5> ds: 007b es: 007b ss: 0068 ->> <5> Process swapper (pid: 0, threadinfoÀ40f000 taskÀ370be0) +>> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) >> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 >> e0c2947d >> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 @@ -79,7 +79,7 @@ Scratch that. I totally misread the description and the patch. >> which too many of its variable length parameters are in some way malformed. >> >> The problem is in sctp_process_unk_param: ->> if (NULL = *errp) +>> if (NULL == *errp) >> *errp = sctp_make_op_error_space(asoc, chunk, >> ntohs(chunk->chunk_hdr->length)); >> @@ -99,7 +99,7 @@ Scratch that. I totally misread the description and the patch. >> >> The result of this error is that a deliberately malformed packet sent to a >> listening host can cause a remote DOS, described in CVE-2010-1173: ->> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173 +>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 >> >> I've tested the below fix and confirmed that it fixes the issue. It >> pre-allocates the error chunk in sctp_verify_init, where we are able to count @@ -127,10 +127,10 @@ Scratch that. I totally misread the description and the patch. >> + unsigned int len; >> >> /* Verify stream values are non-zero. */ ->> if ((0 = peer_init->init_hdr.num_outbound_streams) || +>> if ((0 == peer_init->init_hdr.num_outbound_streams) || >> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc, >> ->> if (SCTP_PARAM_STATE_COOKIE = param.p->type) +>> if (SCTP_PARAM_STATE_COOKIE == param.p->type) >> has_cookie = 1; >> + param_cnt++; >> @@ -165,9 +165,9 @@ Scratch that. I totally misread the description and the patch. >> case SCTP_IERROR_ERROR: >> - return 1; >> + len = ntohs((*errp)->chunk_hdr->length); ->> + if ((*errp) && (len = sizeof(sctp_chunkhdr_t))) +>> + if ((*errp) && (len == sizeof(sctp_chunkhdr_t))) >> + sctp_chunk_free(*errp); ->> + return (result = SCTP_IERROR_ERROR) ? 1 : 0; +>> + return (result == SCTP_IERROR_ERROR) ? 1 : 0; >> case SCTP_IERROR_NO_ERROR: >> default: >> break; diff --git a/a/content_digest b/N1/content_digest index 64fefdd..dd72e72 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,8 +1,8 @@ "ref\020100428134748.GA4818@hmsreliant.think-freely.org\0" "ref\04BD83F85.8090308@hp.com\0" "From\0Vlad Yasevich <vladislav.yasevich@hp.com>\0" - "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid\0" - "Date\0Wed, 28 Apr 2010 14:17:48 +0000\0" + "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173)\0" + "Date\0Wed, 28 Apr 2010 10:17:48 -0400\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0sri@us.ibm.com" linux-sctp@vger.kernel.org @@ -54,7 +54,7 @@ ">> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44\n" ">> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40\n" ">> <5> ds: 007b es: 007b ss: 0068\n" - ">> <5> Process swapper (pid: 0, threadinfo\303\20040f000 task\303\200370be0)\n" + ">> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)\n" ">> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180\n" ">> e0c2947d \n" ">> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004\n" @@ -93,7 +93,7 @@ ">> which too many of its variable length parameters are in some way malformed.\n" ">>\n" ">> The problem is in sctp_process_unk_param:\n" - ">> if (NULL = *errp)\n" + ">> if (NULL == *errp)\n" ">> \t*errp = sctp_make_op_error_space(asoc, chunk,\n" ">> \t\t\t\t\t ntohs(chunk->chunk_hdr->length));\n" ">>\n" @@ -113,7 +113,7 @@ ">>\n" ">> The result of this error is that a deliberately malformed packet sent to a\n" ">> listening host can cause a remote DOS, described in CVE-2010-1173:\n" - ">> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173\n" + ">> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173\n" ">>\n" ">> I've tested the below fix and confirmed that it fixes the issue. It\n" ">> pre-allocates the error chunk in sctp_verify_init, where we are able to count\n" @@ -141,10 +141,10 @@ ">> +\tunsigned int len;\n" ">> \n" ">> \t/* Verify stream values are non-zero. */\n" - ">> \tif ((0 = peer_init->init_hdr.num_outbound_streams) ||\n" + ">> \tif ((0 == peer_init->init_hdr.num_outbound_streams) ||\n" ">> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc,\n" ">> \n" - ">> \t\tif (SCTP_PARAM_STATE_COOKIE = param.p->type)\n" + ">> \t\tif (SCTP_PARAM_STATE_COOKIE == param.p->type)\n" ">> \t\t\thas_cookie = 1;\n" ">> +\t\tparam_cnt++;\n" ">> \n" @@ -179,9 +179,9 @@ ">> \t\t case SCTP_IERROR_ERROR:\n" ">> -\t\t\t\treturn 1;\n" ">> +\t\t\t\tlen = ntohs((*errp)->chunk_hdr->length);\n" - ">> +\t\t\t\tif ((*errp) && (len = sizeof(sctp_chunkhdr_t)))\n" + ">> +\t\t\t\tif ((*errp) && (len == sizeof(sctp_chunkhdr_t)))\n" ">> +\t\t\t\t\tsctp_chunk_free(*errp);\n" - ">> +\t\t\t\treturn (result = SCTP_IERROR_ERROR) ? 1 : 0;\n" + ">> +\t\t\t\treturn (result == SCTP_IERROR_ERROR) ? 1 : 0;\n" ">> \t\t case SCTP_IERROR_NO_ERROR:\n" ">> \t\t default:\n" ">> \t\t\t\tbreak;\n" @@ -200,4 +200,4 @@ ">>\n" > -cb3d51dee0127f77a421addcafb2ccead49c17e3f4f8ba8e068e665f8a691e64 +b267546f3bf755a78c49fcb7a00be59dbf68faec14b9ee333f3941054219588e
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.