Author: delphij
Date: Tue Jan 27 19:35:36 2015
New Revision: 277804
URL: https://svnweb.freebsd.org/changeset/base/277804
Log:
Fix SCTP SCTP_SS_VALUE kernel memory corruption and disclosure vulnerability.
We would like to acknowledge Clement LECIGNE from Google Security Team and
Francisco Falcon from Core Security Technologies who discovered the issue
independently and reported to the FreeBSD Security Team.
Security: FreeBSD-SA-15:02.kmem
Security: CVE-2014-8612
Submitted by: tuexen
Modified:
head/sys/netinet/sctp_usrreq.c
Modified: head/sys/netinet/sctp_usrreq.c
==============================================================================
--- head/sys/netinet/sctp_usrreq.c Tue Jan 27 19:25:39 2015
(r277803)
+++ head/sys/netinet/sctp_usrreq.c Tue Jan 27 19:35:36 2015
(r277804)
@@ -1863,8 +1863,9 @@ flags_out:
SCTP_CHECK_AND_CAST(av, optval, struct
sctp_stream_value, *optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
- if
(stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc,
&stcb->asoc.strmout[av->stream_id],
- &av->stream_value) < 0) {
+ if ((av->stream_id >= stcb->asoc.streamoutcnt)
||
+
(stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc,
&stcb->asoc.strmout[av->stream_id],
+ &av->stream_value) < 0)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL,
SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL;
} else {
@@ -4032,8 +4033,9 @@ sctp_setopt(struct socket *so, int optna
SCTP_CHECK_AND_CAST(av, optval, struct
sctp_stream_value, optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
- if
(stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc,
&stcb->asoc.strmout[av->stream_id],
- av->stream_value) < 0) {
+ if ((av->stream_id >= stcb->asoc.streamoutcnt)
||
+
(stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc,
&stcb->asoc.strmout[av->stream_id],
+ av->stream_value) < 0)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL,
SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL;
}
@@ -4043,10 +4045,12 @@ sctp_setopt(struct socket *so, int optna
SCTP_INP_RLOCK(inp);
LIST_FOREACH(stcb,
&inp->sctp_asoc_list, sctp_tcblist) {
SCTP_TCB_LOCK(stcb);
-
stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
- &stcb->asoc,
-
&stcb->asoc.strmout[av->stream_id],
- av->stream_value);
+ if (av->stream_id <
stcb->asoc.streamoutcnt) {
+
stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+ &stcb->asoc,
+
&stcb->asoc.strmout[av->stream_id],
+ av->stream_value);
+ }
SCTP_TCB_UNLOCK(stcb);
}
SCTP_INP_RUNLOCK(inp);
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
