| From nobody Mon Sep 17 00:00:00 2001 |
| From: Vladislav Yasevich <vladislav.yasevich@hp.com> |
| Date: Fri, 19 May 2006 14:25:53 -0700 |
| Subject: SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857) |
| |
| If SCTP receives a badly formatted HB-ACK chunk, it is possible |
| that we may access invalid memory and potentially have a buffer |
| overflow. We should really make sure that the chunk format is |
| what we expect, before attempting to touch the data. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| |
| --- |
| |
| net/sctp/sm_statefuns.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| a601266e4f3c479790f373c2e3122a766d123652 |
| diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c |
| index 174f7a7..8bc2792 100644 |
| --- linux-2.6.16.16.orig/net/sctp/sm_statefuns.c |
| +++ linux-2.6.16.16/net/sctp/sm_statefuns.c |
| @@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3( |
| commands); |
| |
| hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; |
| + /* Make sure that the length of the parameter is what we expect */ |
| + if (ntohs(hbinfo->param_hdr.length) != |
| + sizeof(sctp_sender_hb_info_t)) { |
| + return SCTP_DISPOSITION_DISCARD; |
| + } |
| + |
| from_addr = hbinfo->daddr; |
| link = sctp_assoc_lookup_paddr(asoc, &from_addr); |
| |