[kernel/f19] CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)

Josh Boyer jwboyer at fedoraproject.org
Mon Mar 3 18:22:50 UTC 2014 

commit ec9e0da519660ebca98261f235f8c5705f121e70
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Mar 3 13:19:47 2014 -0500

    CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)

 kernel.spec                                        |    7 ++++++
 ...D_ce-to-verify-if-we-peer-is-AUTH-capable.patch |   21 ++++++++++++++++++++
 2 files changed, 28 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 16a60de..fd07d39 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -782,6 +782,9 @@ Patch25028: tty-Fix-low_latency-BUG.patch
 #rhbz 1066064
 Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
 
+#CVE-2014-0101 rhbz 1072029 1070705
+Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1510,6 +1513,9 @@ ApplyPatch tty-Fix-low_latency-BUG.patch
 #rhbz 1066064
 ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
 
+#CVE-2014-0101 rhbz 1072029 1070705
+ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2323,6 +2329,7 @@ fi
 
 %changelog
 * Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
 - Fix overly verbose audit logs (rhbz 1066064)
 
 * Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org> - 3.13.5-102
diff --git a/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch b/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
new file mode 100644
index 0000000..5fe787a
--- /dev/null
+++ b/net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
@@ -0,0 +1,21 @@
+Bugzilla: 1072029
+Upstream-status: Submitted http://patchwork.ozlabs.org/patch/325898/
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 591b44d..ae65b6b 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -758,6 +758,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
+ 		struct sctp_chunk auth;
+ 		sctp_ierror_t ret;
+ 
++		/* Make sure that we and the peer are AUTH capable */
++		if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
++			kfree_skb(chunk->auth_chunk);
++			sctp_association_free(new_asoc);
++			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++		}
++
+ 		/* set-up our fake chunk so that we can process it */
+ 		auth.skb = chunk->auth_chunk;
+ 		auth.asoc = chunk->asoc;

More information about the scm-commits mailing list