releases/2.6.16.17/sctp-respect-the-real-chunk-length-when-walking-parameters.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From nobody Mon Sep 17 00:00:00 2001
 From: Vladislav Yasevich <vladislav.yasevich@hp.com>
 Date: Fri, 19 May 2006 11:52:20 -0700
 Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)

 When performing bound checks during the parameter processing, we
 want to use the real chunk and paramter lengths for bounds instead
 of the rounded ones.  This prevents us from potentially walking of
 the end if the chunk length was miscalculated.  We still use rounded
 lengths when advancing the pointer. This was found during a
 conformance test that changed the chunk length without modifying
 parameters.

 (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
 is parameter dependent).

 Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
 Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 ---

  include/net/sctp/sctp.h |    6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

 dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
 diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
 index e673b2c..aa6033c 100644
 --- linux-2.6.16.16.orig/include/net/sctp/sctp.h
 +++ linux-2.6.16.16/include/net/sctp/sctp.h
 @@ -461,12 +461,12 @@ static inline int sctp_frag_point(const
   * there is room for a param header too.
   */
  #define sctp_walk_params(pos, chunk, member)\
 -_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
 +_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)

  #define _sctp_walk_params(pos, chunk, end, member)\
  for (pos.v = chunk->member;\
       pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
 -     pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
 +     pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
       ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
       pos.v += WORD_ROUND(ntohs(pos.p->length)))

 @@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
  for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
  	    sizeof(sctp_chunkhdr_t));\
       (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
 -     (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
 +     (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
       ntohs(err->length) >= sizeof(sctp_errhdr_t); \
       err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))
	From nobody Mon Sep 17 00:00:00 2001
	From: Vladislav Yasevich <vladislav.yasevich@hp.com>
	Date: Fri, 19 May 2006 11:52:20 -0700
	Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)

	When performing bound checks during the parameter processing, we
	want to use the real chunk and paramter lengths for bounds instead
	of the rounded ones. This prevents us from potentially walking of
	the end if the chunk length was miscalculated. We still use rounded
	lengths when advancing the pointer. This was found during a
	conformance test that changed the chunk length without modifying
	parameters.

	(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
	is parameter dependent).

	Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
	Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	---

	include/net/sctp/sctp.h \| 6 +++---
	1 file changed, 3 insertions(+), 3 deletions(-)

	dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512
	diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
	index e673b2c..aa6033c 100644
	--- linux-2.6.16.16.orig/include/net/sctp/sctp.h
	+++ linux-2.6.16.16/include/net/sctp/sctp.h
	@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const
	* there is room for a param header too.
	*/
	#define sctp_walk_params(pos, chunk, member)\
	-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
	+_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)

	#define _sctp_walk_params(pos, chunk, end, member)\
	for (pos.v = chunk->member;\
	pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
	- pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
	+ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
	ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
	pos.v += WORD_ROUND(ntohs(pos.p->length)))

	@@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
	for (err = (sctp_errhdr_t )((void )chunk_hdr + \
	sizeof(sctp_chunkhdr_t));\
	(void )err <= (void )chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
	- (void )err <= (void )chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
	+ (void )err <= (void )chunk_hdr + end - ntohs(err->length) &&\
	ntohs(err->length) >= sizeof(sctp_errhdr_t); \
	err = (sctp_errhdr_t )((void )err + WORD_ROUND(ntohs(err->length))))