diff options
Diffstat (limited to 'recipes-kernel/linux/files/sctp-CVE-2014-4667.patch')
-rw-r--r-- | recipes-kernel/linux/files/sctp-CVE-2014-4667.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch new file mode 100644 index 0000000..e7b1228 --- /dev/null +++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xufeng Zhang <xufeng.zhang@windriver.com> | ||
3 | Date: Thu, 12 Jun 2014 10:53:36 +0800 | ||
4 | Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem | ||
5 | |||
6 | [ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] | ||
7 | |||
8 | Consider the scenario: | ||
9 | For a TCP-style socket, while processing the COOKIE_ECHO chunk in | ||
10 | sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, | ||
11 | a new association would be created in sctp_unpack_cookie(), but afterwards, | ||
12 | some processing maybe failed, and sctp_association_free() will be called to | ||
13 | free the previously allocated association, in sctp_association_free(), | ||
14 | sk_ack_backlog value is decremented for this socket, since the initial | ||
15 | value for sk_ack_backlog is 0, after the decrement, it will be 65535, | ||
16 | a wrap-around problem happens, and if we want to establish new associations | ||
17 | afterward in the same socket, ABORT would be triggered since sctp deem the | ||
18 | accept queue as full. | ||
19 | Fix this issue by only decrementing sk_ack_backlog for associations in | ||
20 | the endpoint's list. | ||
21 | |||
22 | Fixes CVE-2014-4667 | ||
23 | Upstream-Status: Backport | ||
24 | |||
25 | Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com> | ||
26 | Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> | ||
27 | Acked-by: Daniel Borkmann <dborkman@redhat.com> | ||
28 | Acked-by: Vlad Yasevich <vyasevich@gmail.com> | ||
29 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
30 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
31 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
32 | --- | ||
33 | net/sctp/associola.c | 2 +- | ||
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/net/sctp/associola.c b/net/sctp/associola.c | ||
37 | index cef5099..f6d6dcd 100644 | ||
38 | --- a/net/sctp/associola.c | ||
39 | +++ b/net/sctp/associola.c | ||
40 | @@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc) | ||
41 | /* Only real associations count against the endpoint, so | ||
42 | * don't bother for if this is a temporary association. | ||
43 | */ | ||
44 | - if (!asoc->temp) { | ||
45 | + if (!list_empty(&asoc->asocs)) { | ||
46 | list_del(&asoc->asocs); | ||
47 | |||
48 | /* Decrement the backlog value for a TCP-style listening | ||
49 | -- | ||
50 | 1.9.1 | ||
51 | |||