diff for duplicates of <4BD875C5.9000907@hp.com> diff --git a/a/1.txt b/N1/1.txt index b5143ac..86f7ba8 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -76,7 +76,7 @@ processing allocate it when it reaches a parameter that needs an error. >>>> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 >>>> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 >>>> <5> ds: 007b es: 007b ss: 0068 ->>>> <5> Process swapper (pid: 0, threadinfoÀ40f000 taskÀ370be0) +>>>> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) >>>> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 >>>> e0c2947d >>>> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 @@ -115,7 +115,7 @@ processing allocate it when it reaches a parameter that needs an error. >>>> which too many of its variable length parameters are in some way malformed. >>>> >>>> The problem is in sctp_process_unk_param: ->>>> if (NULL = *errp) +>>>> if (NULL == *errp) >>>> *errp = sctp_make_op_error_space(asoc, chunk, >>>> ntohs(chunk->chunk_hdr->length)); >>>> @@ -135,7 +135,7 @@ processing allocate it when it reaches a parameter that needs an error. >>>> >>>> The result of this error is that a deliberately malformed packet sent to a >>>> listening host can cause a remote DOS, described in CVE-2010-1173: ->>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173 +>>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 >>>> >>>> I've tested the below fix and confirmed that it fixes the issue. It >>>> pre-allocates the error chunk in sctp_verify_init, where we are able to count @@ -163,10 +163,10 @@ processing allocate it when it reaches a parameter that needs an error. >>>> + unsigned int len; >>>> >>>> /* Verify stream values are non-zero. */ ->>>> if ((0 = peer_init->init_hdr.num_outbound_streams) || +>>>> if ((0 == peer_init->init_hdr.num_outbound_streams) || >>>> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc, >>>> ->>>> if (SCTP_PARAM_STATE_COOKIE = param.p->type) +>>>> if (SCTP_PARAM_STATE_COOKIE == param.p->type) >>>> has_cookie = 1; >>>> + param_cnt++; >>>> @@ -201,9 +201,9 @@ processing allocate it when it reaches a parameter that needs an error. >>>> case SCTP_IERROR_ERROR: >>>> - return 1; >>>> + len = ntohs((*errp)->chunk_hdr->length); ->>>> + if ((*errp) && (len = sizeof(sctp_chunkhdr_t))) +>>>> + if ((*errp) && (len == sizeof(sctp_chunkhdr_t))) >>>> + sctp_chunk_free(*errp); ->>>> + return (result = SCTP_IERROR_ERROR) ? 1 : 0; +>>>> + return (result == SCTP_IERROR_ERROR) ? 1 : 0; >>>> case SCTP_IERROR_NO_ERROR: >>>> default: >>>> break; diff --git a/a/content_digest b/N1/content_digest index 2d5fd1c..c44b27e 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -3,8 +3,8 @@ "ref\020100428142147.GB4818@hmsreliant.think-freely.org\0" "ref\04BD8481E.3010509@hp.com\0" "From\0Vlad Yasevich <vladislav.yasevich@hp.com>\0" - "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid\0" - "Date\0Wed, 28 Apr 2010 17:52:05 +0000\0" + "Subject\0Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173)\0" + "Date\0Wed, 28 Apr 2010 13:52:05 -0400\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0sri@us.ibm.com" linux-sctp@vger.kernel.org @@ -92,7 +92,7 @@ ">>>> <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44\n" ">>>> <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40\n" ">>>> <5> ds: 007b es: 007b ss: 0068\n" - ">>>> <5> Process swapper (pid: 0, threadinfo\303\20040f000 task\303\200370be0)\n" + ">>>> <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)\n" ">>>> <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180\n" ">>>> e0c2947d \n" ">>>> <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004\n" @@ -131,7 +131,7 @@ ">>>> which too many of its variable length parameters are in some way malformed.\n" ">>>>\n" ">>>> The problem is in sctp_process_unk_param:\n" - ">>>> if (NULL = *errp)\n" + ">>>> if (NULL == *errp)\n" ">>>> \t*errp = sctp_make_op_error_space(asoc, chunk,\n" ">>>> \t\t\t\t\t ntohs(chunk->chunk_hdr->length));\n" ">>>>\n" @@ -151,7 +151,7 @@ ">>>>\n" ">>>> The result of this error is that a deliberately malformed packet sent to a\n" ">>>> listening host can cause a remote DOS, described in CVE-2010-1173:\n" - ">>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name 10-1173\n" + ">>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173\n" ">>>>\n" ">>>> I've tested the below fix and confirmed that it fixes the issue. It\n" ">>>> pre-allocates the error chunk in sctp_verify_init, where we are able to count\n" @@ -179,10 +179,10 @@ ">>>> +\tunsigned int len;\n" ">>>> \n" ">>>> \t/* Verify stream values are non-zero. */\n" - ">>>> \tif ((0 = peer_init->init_hdr.num_outbound_streams) ||\n" + ">>>> \tif ((0 == peer_init->init_hdr.num_outbound_streams) ||\n" ">>>> @@ -2149,6 +2151,7 @@ int sctp_verify_init(const struct sctp_association *asoc,\n" ">>>> \n" - ">>>> \t\tif (SCTP_PARAM_STATE_COOKIE = param.p->type)\n" + ">>>> \t\tif (SCTP_PARAM_STATE_COOKIE == param.p->type)\n" ">>>> \t\t\thas_cookie = 1;\n" ">>>> +\t\tparam_cnt++;\n" ">>>> \n" @@ -217,9 +217,9 @@ ">>>> \t\t case SCTP_IERROR_ERROR:\n" ">>>> -\t\t\t\treturn 1;\n" ">>>> +\t\t\t\tlen = ntohs((*errp)->chunk_hdr->length);\n" - ">>>> +\t\t\t\tif ((*errp) && (len = sizeof(sctp_chunkhdr_t)))\n" + ">>>> +\t\t\t\tif ((*errp) && (len == sizeof(sctp_chunkhdr_t)))\n" ">>>> +\t\t\t\t\tsctp_chunk_free(*errp);\n" - ">>>> +\t\t\t\treturn (result = SCTP_IERROR_ERROR) ? 1 : 0;\n" + ">>>> +\t\t\t\treturn (result == SCTP_IERROR_ERROR) ? 1 : 0;\n" ">>>> \t\t case SCTP_IERROR_NO_ERROR:\n" ">>>> \t\t default:\n" ">>>> \t\t\t\tbreak;\n" @@ -242,4 +242,4 @@ "> More majordomo info at http://vger.kernel.org/majordomo-info.html\n" > -8735596197d196775ef077b206b28363ef27e75c85d80ea56a671336e4c5f93d +cec0c4f21a7c2de0cf1b2b27cc5ac26b9fce06682652d6aba51c96a874231ce1
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.