Message ID | 1375363951-5208-3-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On 08/01/2013 02:32 PM, Luis Henriques wrote: > From: Vlad Yasevich <vyasevich@gmail.com> > > CVE-2013-2206 > > BugLink: http://bugs.launchpad.net/bugs/1194445 > > When SCTP is done processing a duplicate cookie chunk, it tries > to delete a newly created association. For that, it has to set > the right association for the side-effect processing to work. > However, when it uses the SCTP_CMD_NEW_ASOC command, that performs > more work then really needed (like hashing the associationa and > assigning it an id) and there is no point to do that only to > delete the association as a next step. In fact, it also creates > an impossible condition where an association may be found by > the getsockopt() call, and that association is empty. This > causes a crash in some sctp getsockopts. > > The solution is rather simple. We simply use SCTP_CMD_SET_ASOC > command that doesn't have all the overhead and does exactly > what we need. > > Reported-by: Karl Heiss <kheiss@gmail.com> > Tested-by: Karl Heiss <kheiss@gmail.com> > CC: Neil Horman <nhorman@tuxdriver.com> > Signed-off-by: Vlad Yasevich <vyasevich@gmail.com> > Acked-by: Neil Horman <nhorman@tuxdriver.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit f2815633504b442ca0b0605c16bf3d88a3a0fcea) > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/sctp/sm_statefuns.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 9e4e846..486df56 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -2045,7 +2045,7 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, > } > > /* Delete the tempory new association. */ > - sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); > + sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); > sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); > > /* Restore association pointer to provide SCTP command interpeter >
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 9e4e846..486df56 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2045,7 +2045,7 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, } /* Delete the tempory new association. */ - sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); /* Restore association pointer to provide SCTP command interpeter