| From nobody Mon Sep 17 00:00:00 2001 |
| From: Vladislav Yasevich <vladislav.yasevich@hp.com> |
| Date: Fri, 19 May 2006 11:52:20 -0700 |
| Subject: SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858) |
| |
| When performing bound checks during the parameter processing, we |
| want to use the real chunk and paramter lengths for bounds instead |
| of the rounded ones. This prevents us from potentially walking of |
| the end if the chunk length was miscalculated. We still use rounded |
| lengths when advancing the pointer. This was found during a |
| conformance test that changed the chunk length without modifying |
| parameters. |
| |
| (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem |
| is parameter dependent). |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| --- |
| |
| include/net/sctp/sctp.h | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 |
| diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h |
| index e673b2c..aa6033c 100644 |
| --- linux-2.6.16.16.orig/include/net/sctp/sctp.h |
| +++ linux-2.6.16.16/include/net/sctp/sctp.h |
| @@ -461,12 +461,12 @@ static inline int sctp_frag_point(const |
| * there is room for a param header too. |
| */ |
| #define sctp_walk_params(pos, chunk, member)\ |
| -_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member) |
| +_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) |
| |
| #define _sctp_walk_params(pos, chunk, end, member)\ |
| for (pos.v = chunk->member;\ |
| pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\ |
| - pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\ |
| + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ |
| ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ |
| pos.v += WORD_ROUND(ntohs(pos.p->length))) |
| |
| @@ -477,7 +477,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt |
| for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ |
| sizeof(sctp_chunkhdr_t));\ |
| (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\ |
| - (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\ |
| + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ |
| ntohs(err->length) >= sizeof(sctp_errhdr_t); \ |
| err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) |
| |