diff options
Diffstat (limited to 'meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch')
-rw-r--r-- | meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch new file mode 100644 index 00000000..e7b12283 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch @@ -0,0 +1,51 @@ +From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001 +From: Xufeng Zhang <xufeng.zhang@windriver.com> +Date: Thu, 12 Jun 2014 10:53:36 +0800 +Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem + +[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] + +Consider the scenario: +For a TCP-style socket, while processing the COOKIE_ECHO chunk in +sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, +a new association would be created in sctp_unpack_cookie(), but afterwards, +some processing maybe failed, and sctp_association_free() will be called to +free the previously allocated association, in sctp_association_free(), +sk_ack_backlog value is decremented for this socket, since the initial +value for sk_ack_backlog is 0, after the decrement, it will be 65535, +a wrap-around problem happens, and if we want to establish new associations +afterward in the same socket, ABORT would be triggered since sctp deem the +accept queue as full. +Fix this issue by only decrementing sk_ack_backlog for associations in +the endpoint's list. + +Fixes CVE-2014-4667 +Upstream-Status: Backport + +Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> +Acked-by: Daniel Borkmann <dborkman@redhat.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + net/sctp/associola.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index cef5099..f6d6dcd 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc) + /* Only real associations count against the endpoint, so + * don't bother for if this is a temporary association. + */ +- if (!asoc->temp) { ++ if (!list_empty(&asoc->asocs)) { + list_del(&asoc->asocs); + + /* Decrement the backlog value for a TCP-style listening +-- +1.9.1 + |