target/linux/generic-2.6/patches-2.6.26/992-cve-2009-0065.patch

   1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
   2
   3 --- a/net/sctp/sm_statefuns.c
   4 +++ b/net/sctp/sm_statefuns.c
   5 @@ -3641,6 +3641,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
   6  {
   7         struct sctp_chunk *chunk = arg;
   8         struct sctp_fwdtsn_hdr *fwdtsn_hdr;
   9 +       struct sctp_fwdtsn_skip *skip;
  10         __u16 len;
  11         __u32 tsn;
  12
  13 @@ -3670,6 +3671,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
  14         if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
  15                 goto discard_noforce;
  16
  17 +       /* Silently discard the chunk if stream-id is not valid */
  18 +       sctp_walk_fwdtsn(skip, chunk) {
  19 +               if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
  20 +                       goto discard_noforce;
  21 +       }
  22 +
  23         sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
  24         if (len > sizeof(struct sctp_fwdtsn_hdr))
  25                 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
  26 @@ -3701,6 +3708,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
  27  {
  28         struct sctp_chunk *chunk = arg;
  29         struct sctp_fwdtsn_hdr *fwdtsn_hdr;
  30 +       struct sctp_fwdtsn_skip *skip;
  31         __u16 len;
  32         __u32 tsn;
  33
  34 @@ -3730,6 +3738,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
  35         if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
  36                 goto gen_shutdown;
  37
  38 +       /* Silently discard the chunk if stream-id is not valid */
  39 +       sctp_walk_fwdtsn(skip, chunk) {
  40 +               if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
  41 +                       goto gen_shutdown;
  42 +       }
  43 +
  44         sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
  45         if (len > sizeof(struct sctp_fwdtsn_hdr))
  46                 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,