diff for duplicates of <4BD8481E.3010509@hp.com> diff --git a/a/1.txt b/N1/1.txt index ccacf94..61fdce9 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -64,7 +64,7 @@ an error cause. :) >>> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 >>> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 >>> <5> ds: 007b es: 007b ss: 0068 ->>> <5> Process swapper (pid: 0, threadinfoÀ40f000 taskÀ370be0) +>>> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) >>> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 >>> e0c2947d >>> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 @@ -103,7 +103,7 @@ an error cause. :) >>> which too many of its variable length parameters are in some way malformed. >>> >>> The problem is in sctp_process_unk_param: ->>> if (NULL = *errp) +>>> if (NULL == *errp) >>> *errp = sctp_make_op_error_space(asoc, chunk, >>> ntohs(chunk->chunk_hdr->length)); >>> @@ -123,7 +123,7 @@ an error cause. :) >>> >>> The result of this error is that a deliberately malformed packet sent to a >>> listening host can cause a remote DOS, described in CVE-2010-1173: ->>> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173 +>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 >>> >>> I've tested the below fix and confirmed that it fixes the issue. It >>> pre-allocates the error chunk in sctp_verify_init, where we are able to count @@ -151,10 +151,10 @@ an error cause. :) >>> + unsigned int len; >>> >>> /* Verify stream values are non-zero. */ ->>> if ((0 = peer_init->init_hdr.num_outbound_streams) || +>>> if ((0 == peer_init->init_hdr.num_outbound_streams) || >>> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc, >>> ->>> if (SCTP_PARAM_STATE_COOKIE = param.p->type) +>>> if (SCTP_PARAM_STATE_COOKIE == param.p->type) >>> has_cookie = 1; >>> + param_cnt++; >>> @@ -189,9 +189,9 @@ an error cause. :) >>> case SCTP_IERROR_ERROR: >>> - return 1; >>> + len = ntohs((*errp)->chunk_hdr->length); ->>> + if ((*errp) && (len = sizeof(sctp_chunkhdr_t))) +>>> + if ((*errp) && (len == sizeof(sctp_chunkhdr_t))) >>> + sctp_chunk_free(*errp); ->>> + return (result = SCTP_IERROR_ERROR) ? 1 : 0; +>>> + return (result == SCTP_IERROR_ERROR) ? 1 : 0; >>> case SCTP_IERROR_NO_ERROR: >>> default: >>> break; diff --git a/a/content_digest b/N1/content_digest index bc61809..c1d2400 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,8 +2,8 @@ "ref\04BD83F85.8090308@hp.com\0" "ref\020100428142147.GB4818@hmsreliant.think-freely.org\0" "From\0Vlad Yasevich <vladislav.yasevich@hp.com>\0" - "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid\0" - "Date\0Wed, 28 Apr 2010 14:37:18 +0000\0" + "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173)\0" + "Date\0Wed, 28 Apr 2010 10:37:18 -0400\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0sri@us.ibm.com" linux-sctp@vger.kernel.org @@ -79,7 +79,7 @@ ">>> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44\n" ">>> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40\n" ">>> <5> ds: 007b es: 007b ss: 0068\n" - ">>> <5> Process swapper (pid: 0, threadinfo\303\20040f000 task\303\200370be0)\n" + ">>> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)\n" ">>> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180\n" ">>> e0c2947d \n" ">>> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004\n" @@ -118,7 +118,7 @@ ">>> which too many of its variable length parameters are in some way malformed.\n" ">>>\n" ">>> The problem is in sctp_process_unk_param:\n" - ">>> if (NULL = *errp)\n" + ">>> if (NULL == *errp)\n" ">>> \t*errp = sctp_make_op_error_space(asoc, chunk,\n" ">>> \t\t\t\t\t ntohs(chunk->chunk_hdr->length));\n" ">>>\n" @@ -138,7 +138,7 @@ ">>>\n" ">>> The result of this error is that a deliberately malformed packet sent to a\n" ">>> listening host can cause a remote DOS, described in CVE-2010-1173:\n" - ">>> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173\n" + ">>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173\n" ">>>\n" ">>> I've tested the below fix and confirmed that it fixes the issue. It\n" ">>> pre-allocates the error chunk in sctp_verify_init, where we are able to count\n" @@ -166,10 +166,10 @@ ">>> +\tunsigned int len;\n" ">>> \n" ">>> \t/* Verify stream values are non-zero. */\n" - ">>> \tif ((0 = peer_init->init_hdr.num_outbound_streams) ||\n" + ">>> \tif ((0 == peer_init->init_hdr.num_outbound_streams) ||\n" ">>> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc,\n" ">>> \n" - ">>> \t\tif (SCTP_PARAM_STATE_COOKIE = param.p->type)\n" + ">>> \t\tif (SCTP_PARAM_STATE_COOKIE == param.p->type)\n" ">>> \t\t\thas_cookie = 1;\n" ">>> +\t\tparam_cnt++;\n" ">>> \n" @@ -204,9 +204,9 @@ ">>> \t\t case SCTP_IERROR_ERROR:\n" ">>> -\t\t\t\treturn 1;\n" ">>> +\t\t\t\tlen = ntohs((*errp)->chunk_hdr->length);\n" - ">>> +\t\t\t\tif ((*errp) && (len = sizeof(sctp_chunkhdr_t)))\n" + ">>> +\t\t\t\tif ((*errp) && (len == sizeof(sctp_chunkhdr_t)))\n" ">>> +\t\t\t\t\tsctp_chunk_free(*errp);\n" - ">>> +\t\t\t\treturn (result = SCTP_IERROR_ERROR) ? 1 : 0;\n" + ">>> +\t\t\t\treturn (result == SCTP_IERROR_ERROR) ? 1 : 0;\n" ">>> \t\t case SCTP_IERROR_NO_ERROR:\n" ">>> \t\t default:\n" ">>> \t\t\t\tbreak;\n" @@ -225,4 +225,4 @@ ">>>\n" > -811d1485b3f0dccf99237de858715dd26f3fa69a01d3484dbc19ee3e6a464c31 +5f9975985313b3d9829d404f5f1727a24ca2644a4278f9784ac4956da9f72b34
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.