[kernel/f19] CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 3 18:22:50 UTC 2014
commit ec9e0da519660ebca98261f235f8c5705f121e70
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Mar 3 13:19:47 2014 -0500
CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
kernel.spec | 7 ++++++
...D_ce-to-verify-if-we-peer-is-AUTH-capable.patch | 21 ++++++++++++++++++++
2 files changed, 28 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 16a60de..fd07d39 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -782,6 +782,9 @@ Patch25028: tty-Fix-low_latency-BUG.patch
#rhbz 1066064
Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
+#CVE-2014-0101 rhbz 1072029 1070705
+Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1510,6 +1513,9 @@ ApplyPatch tty-Fix-low_latency-BUG.patch
#rhbz 1066064
ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
+#CVE-2014-0101 rhbz 1072029 1070705
+ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2323,6 +2329,7 @@ fi
%changelog
* Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
- Fix overly verbose audit logs (rhbz 1066064)
* Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org> - 3.13.5-102
diff --git a/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch b/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
new file mode 100644
index 0000000..5fe787a
--- /dev/null
+++ b/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
@@ -0,0 +1,21 @@
+Bugzilla: 1072029
+Upstream-status: Submitted http://patchwork.ozlabs.org/patch/325898/
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 591b44d..ae65b6b 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -758,6 +758,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
+ struct sctp_chunk auth;
+ sctp_ierror_t ret;
+
++ /* Make sure that we and the peer are AUTH capable */
++ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
++ kfree_skb(chunk->auth_chunk);
++ sctp_association_free(new_asoc);
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++ }
++
+ /* set-up our fake chunk so that we can process it */
+ auth.skb = chunk->auth_chunk;
+ auth.asoc = chunk->asoc;
More information about the scm-commits
mailing list