[kernel] add 2.6.23 security fixes for rb532 missed in 8.09.1
[openwrt/svn-archive/archive.git] / target / linux / generic-2.6 / patches-2.6.23 / 992-cve-2009-0065.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
2
3 --- a/net/sctp/sm_statefuns.c
4 +++ b/net/sctp/sm_statefuns.c
5 @@ -3507,6 +3507,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
6 {
7 struct sctp_chunk *chunk = arg;
8 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
9 + struct sctp_fwdtsn_skip *skip;
10 __u16 len;
11 __u32 tsn;
12
13 @@ -3536,6 +3537,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
14 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
15 goto discard_noforce;
16
17 + /* Silently discard the chunk if stream-id is not valid */
18 + sctp_walk_fwdtsn(skip, chunk) {
19 + if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
20 + goto discard_noforce;
21 + }
22 +
23 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
24 if (len > sizeof(struct sctp_fwdtsn_hdr))
25 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
26 @@ -3567,6 +3574,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
27 {
28 struct sctp_chunk *chunk = arg;
29 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
30 + struct sctp_fwdtsn_skip *skip;
31 __u16 len;
32 __u32 tsn;
33
34 @@ -3596,6 +3604,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
35 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
36 goto gen_shutdown;
37
38 + /* Silently discard the chunk if stream-id is not valid */
39 + sctp_walk_fwdtsn(skip, chunk) {
40 + if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
41 + goto gen_shutdown;
42 + }
43 +
44 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
45 if (len > sizeof(struct sctp_fwdtsn_hdr))
46 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,