svn commit: r46235 - in head/share: security/advisories security/patches/SA-15:02 security/patches/SA-15:03 xml
Xin LI
delphij at FreeBSD.org
Tue Jan 27 19:53:33 UTC 2015
Author: delphij
Date: Tue Jan 27 19:53:31 2015
New Revision: 46235
URL: https://svnweb.freebsd.org/changeset/doc/46235
Log:
Add advisories and patches for SA-15:02.kmem and SA-15:03.sctp.
Added:
head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc (contents, props changed)
head/share/security/patches/SA-15:02/
head/share/security/patches/SA-15:02/sctp.patch (contents, props changed)
head/share/security/patches/SA-15:02/sctp.patch.asc (contents, props changed)
head/share/security/patches/SA-15:03/
head/share/security/patches/SA-15:03/sctp.patch (contents, props changed)
head/share/security/patches/SA-15:03/sctp.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:02.kmem Security Advisory
+ The FreeBSD Project
+
+Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure
+
+Category: core
+Module: sctp
+Announced: 2015-01-27
+Credits: Clement LECIGNE from Google Security Team and
+ Francisco Falcon from Core Security Technologies
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5)
+ 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17)
+ 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9)
+ 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23)
+CVE Name: CVE-2014-8612
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+SCTP protocol provides reliable, flow-controlled, two-way transmission
+of data. It is a message oriented protocol and can support the SOCK_STREAM
+and SOCK_SEQPACKET abstractions.
+
+SCTP allows the user to choose between multiple scheduling algorithms to
+optimize the sending behavior of SCTP in scenarios with different
+requirements.
+
+II. Problem Description
+
+Due to insufficient validation of the SCTP stream ID, which serves as an array
+index, a local unprivileged attacker can read or write 16-bits of kernel
+memory.
+
+III. Impact
+
+An unprivileged process can read or modify 16-bits of memory which
+belongs to the kernel. This smay lead to exposure of sensitive
+information or allow privilege escalation.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc
+# gpg --verify sctp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r277807
+releng/8.4/ r277808
+stable/9/ r277807
+releng/9.3/ r277808
+stable/10/ r277807
+releng/10.0/ r277808
+releng/10.1/ r277808
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+We would like to acknowledge Clement LECIGNE from Google Security Team and
+Francisco Falcon from Core Security Technologies who discovered the issue
+independently and reported to the FreeBSD Security Team.
+
+<URL:http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8612>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJUx+qPAAoJEO1n7NZdz2rndPwQAJYuUZhkBqt6Lj0Wnuu220QL
+OwMQAVBDggfNMJj5GCMRYqniARGg53UpzBjbKyen9N7tQtjgF6ll9EcWQhUdQSSl
+07iCLGkn7kAu5jRO7+S/fJLXaUBfo+KfrUakHBdrWGKD0VVp/DDMbjbzZWl8Yw0S
+7g0tqSmNcR1uUbAAsSXUfN9N/8OZzkqCiDvmVcFtalw1CjFyl6XbYXxNS+/j7LrU
+YQBJdz9F/X/oPe19VQ36olZWzTdlSLwa/ylwNW7O6K5NdoCq73Co4IDL0gkAgtdQ
+s4A7h4UwEoYleRRX+g9Rbeq2tz9FwfIwSferFRF5/1thc0cVJ2e/oDq9lmzyepwa
+rbH8jy/TMtSKHlali8I3w6KYfqRFs6whS9Bud1b0SgrqqZizsO64BbvSzkELxHJl
+PMUPHHCh3w0CXnRcaxC+rY/kazPZeRzebMaxQLAV0KTEVp0aSGw7FBtEE+ldrHUd
+rp1bLESjTjtagr1K1UsCKKZr/t9RSHSZ1I6vfxBPUsUu7oUgd+aOmEpiyYKxna0y
+vS5ECCrJG4k9fsQ1emyB5NhROYCXdq2CavfWWOOi3LoUhVvh34N27HVZlqv2m3Y9
+sM20xOB3dSx3ufsv19nAclVpL76Pu7fD/MNe+lhUk1KKgqx0L7vdiJfMIrafLYsR
+V2Rre46fapln8T+wvhQP
+=o9yw
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:03.sctp Security Advisory
+ The FreeBSD Project
+
+Topic: SCTP stream reset vulnerability
+
+Category: core
+Module: sctp
+Announced: 2015-01-27
+Credits: Gerasimos Dimitriadis
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5)
+ 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17)
+ 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9)
+ 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE)
+ 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23)
+CVE Name: CVE-2014-8613
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+SCTP protocol provides reliable, flow-controlled, two-way transmission
+of data. It is a message oriented protocol and can support the SOCK_STREAM
+and SOCK_SEQPACKET abstractions.
+
+II. Problem Description
+
+The input validation of received SCTP RE_CONFIG chunks is insufficient,
+and can result in a NULL pointer deference later.
+
+III. Impact
+
+A remote attacker who can send a malformed SCTP packet to a FreeBSD system
+that serves SCTP can cause a kernel panic, resulting in a Denial of
+Service.
+
+IV. Workaround
+
+On FreeBSD 10.1 or later systems, the system administrator can set
+net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG
+chunks. This workaround is not available on earlier FreeBSD releases,
+but systems that do not serve SCTP connections are not vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc
+# gpg --verify sctp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r277807
+releng/8.4/ r277808
+stable/9/ r277807
+releng/9.3/ r277808
+stable/10/ r277807
+releng/10.0/ r277808
+releng/10.1/ r277808
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8613>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:03.sctp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub
+DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6
+eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6
+sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj
+QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu
+BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0
+2mZYLoCrSHfBongLMohs4DQ8CCnH3iEoUBRbG9HGwlAh4s9CAre87oIdHHFWRSsg
+oIHxNDG+lk+yNJuOKfjDT+poyuYw7TlBfYN+ifO5UHPOEIH430FWF3B3P2oH4I/M
+7VQRClaxaNiPfAJxa11IwHKWM12yrrM7483AuPqdd1r9OUnx33y1jPY0ByemXv9d
+LE8jJXs0cdR7zCJuV9R8Uif9xkdGLTj9emsqjaS1KxSJrSzPJaah4nkWq8BRmMXK
+3xOxlIM/cGJLU+/cliDy3CqHipU4pt+S4RuAB41xx2k5g9YiAMH178xrfOgrklSH
+xKfAM/gz4YqESK5QPjqO
+=859G
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:02/sctp.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:02/sctp.patch Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,45 @@
+Index: sys/netinet/sctp_usrreq.c
+===================================================================
+--- sys/netinet/sctp_usrreq.c (revision 277788)
++++ sys/netinet/sctp_usrreq.c (working copy)
+@@ -1863,8 +1863,9 @@ flags_out:
+ SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
+ SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ if (stcb) {
+- if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+- &av->stream_value) < 0) {
++ if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++ (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++ &av->stream_value) < 0)) {
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ error = EINVAL;
+ } else {
+@@ -4032,8 +4033,9 @@ sctp_setopt(struct socket *so, int optname, void *
+ SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
+ SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ if (stcb) {
+- if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+- av->stream_value) < 0) {
++ if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++ (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++ av->stream_value) < 0)) {
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ error = EINVAL;
+ }
+@@ -4043,10 +4045,12 @@ sctp_setopt(struct socket *so, int optname, void *
+ SCTP_INP_RLOCK(inp);
+ LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
+ SCTP_TCB_LOCK(stcb);
+- stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+- &stcb->asoc,
+- &stcb->asoc.strmout[av->stream_id],
+- av->stream_value);
++ if (av->stream_id < stcb->asoc.streamoutcnt) {
++ stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
++ &stcb->asoc,
++ &stcb->asoc.strmout[av->stream_id],
++ av->stream_value);
++ }
+ SCTP_TCB_UNLOCK(stcb);
+ }
+ SCTP_INP_RUNLOCK(inp);
Added: head/share/security/patches/SA-15:02/sctp.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:02/sctp.patch.asc Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rn0EgP/0JAL3PGZvxezFy8oCtccfmK
+8puU1nlEVq4f0CETGqH1x1bd/P5kMFtC6JAaGbXg4xk2BAi5PLLUf4jPEXu9V8Ok
+a2IJ3uuVUAEmrccdyDq4N9ahrnODGNf0nsR6QhcZYJGWg5GoMeHQbMTIVLkF7yHz
+5NztDnQO6YuWHYkOFw92zMxNxijH5rUBRbRPfgBxn+6YWL8aabWwrShNmWSIZykb
+5NDVYwjl0WozEh0NNdXHwOi+14hUIWCAaNmxHBgkxursQI8G0/js8xLbf/ehVU8d
+MuRtVRB1jWCjEIo/Uat6A5Uy6wwCZsTeIFU7RwVYPmF2LtMxYdPP8V6NINErSn/d
+wcaRawS9pmbKHmRR3Xk4hnuLpbewu0qB+TS/z1UNCaoSsv//MuSFt4NTMafMMnee
+PuwZXPtrjIpCLLDpWZ9o79eX3v3VnmMx2P3Cu+UADoDs/nhWMC0liJ3AlGQBFwso
+Z2lXiaujjsqb4JY2VonySuRxkByO/AbJqc9BP+cN2H8EHgzZLUs+ACcmE9O8y/Th
+gIWvszlu2gWVyhONIxUD39DGfTCfhQLgMWSaVtQOBL0BEltRJGjYn/RrbZjffGeo
+RHG5Gp2212hclgES/mIbfknECixa8VK0u/+AlWmGW5Oahux/pDMnxuRqD9DkfEDS
+BSWdWxJZ4q5YDH7GAvyP
+=ZyyZ
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:03/sctp.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:03/sctp.patch Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,119 @@
+Index: sys/netinet/sctp_input.c
+===================================================================
+--- sys/netinet/sctp_input.c (revision 277788)
++++ sys/netinet/sctp_input.c (working copy)
+@@ -3649,6 +3649,9 @@ sctp_handle_stream_reset_response(struct sctp_tcb
+ /* huh ? */
+ return (0);
+ }
++ if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
++ return (0);
++ }
+ if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
+ resp = (struct sctp_stream_reset_response_tsn *)respin;
+ asoc->stream_reset_outstanding--;
+@@ -4037,7 +4040,7 @@ __attribute__((noinline))
+ sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
+ struct sctp_chunkhdr *ch_req)
+ {
+- int chk_length, param_len, ptype;
++ uint16_t remaining_length, param_len, ptype;
+ struct sctp_paramhdr pstore;
+ uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
+ uint32_t seq = 0;
+@@ -4050,7 +4053,7 @@ __attribute__((noinline))
+ int num_param = 0;
+
+ /* now it may be a reset or a reset-response */
+- chk_length = ntohs(ch_req->chunk_length);
++ remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
+
+ /* setup for adding the response */
+ sctp_alloc_a_chunk(stcb, chk);
+@@ -4088,20 +4091,27 @@ strres_nochunk:
+ ch->chunk_length = htons(chk->send_size);
+ SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
+ offset += sizeof(struct sctp_chunkhdr);
+- while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
++ while (remaining_length >= sizeof(struct sctp_paramhdr)) {
+ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
+- if (ph == NULL)
++ if (ph == NULL) {
++ /* TSNH */
+ break;
++ }
+ param_len = ntohs(ph->param_length);
+- if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
+- /* bad param */
++ if ((param_len > remaining_length) ||
++ (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
++ /* bad parameter length */
+ break;
+ }
+- ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
++ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
+ (uint8_t *) & cstore);
++ if (ph == NULL) {
++ /* TSNH */
++ break;
++ }
+ ptype = ntohs(ph->param_type);
+ num_param++;
+- if (param_len > (int)sizeof(cstore)) {
++ if (param_len > sizeof(cstore)) {
+ trunc = 1;
+ } else {
+ trunc = 0;
+@@ -4113,6 +4123,9 @@ strres_nochunk:
+ if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
+ struct sctp_stream_reset_out_request *req_out;
+
++ if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
++ break;
++ }
+ req_out = (struct sctp_stream_reset_out_request *)ph;
+ num_req++;
+ if (stcb->asoc.stream_reset_outstanding) {
+@@ -4126,6 +4139,9 @@ strres_nochunk:
+ } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
+ struct sctp_stream_reset_add_strm *str_add;
+
++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++ break;
++ }
+ str_add = (struct sctp_stream_reset_add_strm *)ph;
+ num_req++;
+ sctp_handle_str_reset_add_strm(stcb, chk, str_add);
+@@ -4132,6 +4148,9 @@ strres_nochunk:
+ } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
+ struct sctp_stream_reset_add_strm *str_add;
+
++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++ break;
++ }
+ str_add = (struct sctp_stream_reset_add_strm *)ph;
+ num_req++;
+ sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
+@@ -4156,6 +4175,9 @@ strres_nochunk:
+ struct sctp_stream_reset_response *resp;
+ uint32_t result;
+
++ if (param_len < sizeof(struct sctp_stream_reset_response)) {
++ break;
++ }
+ resp = (struct sctp_stream_reset_response *)ph;
+ seq = ntohl(resp->response_seq);
+ result = ntohl(resp->result);
+@@ -4167,7 +4189,11 @@ strres_nochunk:
+ break;
+ }
+ offset += SCTP_SIZE32(param_len);
+- chk_length -= SCTP_SIZE32(param_len);
++ if (remaining_length >= SCTP_SIZE32(param_len)) {
++ remaining_length -= SCTP_SIZE32(param_len);
++ } else {
++ remaining_length = 0;
++ }
+ }
+ if (num_req == 0) {
+ /* we have no response free the stuff */
Added: head/share/security/patches/SA-15:03/sctp.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:03/sctp.patch.asc Tue Jan 27 19:53:31 2015 (r46235)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rng3MP/3a6EgYQFrHJZ0f89jJh+tgC
+tnj7NSHGAYI4LjwqBMLngfwVw7lzqd46dE9VUc5E123RE7HOwYCkllebWKkQdMxa
+6NvCxmIT0jRcmMb2TWteS6Tp1DE7I2COJHBA4BLN0T+3/KwgvSEU3p1947uumlL1
+m7qh69thHqi5tbqLkBh6j5CVPZj/hM+wBX+GRHm4s6Bo/NsnVWS2iCscsiOYFylP
+IIYl8puXa8zv4EV/Jqco779BpJ71Bqr+zIcOq9uf8dcWAHrOTCYx85e4xNQ2sCmB
+KlA8kYqdFR4XdgSJC9UhMpq9V206+wjAUiJz1JvpEd2+IaEs1RyFDl3MUxQoWDHU
+cXS1Bg9/z/mP1PzC4XQxSgcqgjD3q94AoOLKIFLsdvqXZ4aQ8VXrWAm0hAC4DMLd
+e3t+Np0XXE3IpUEnp50GEqkrAKKkcbvUT40HFqS/v/jHE48X5ISd4vAjFPEd0ANV
+5a7IsrYiDDFOLltTuk2zrOfCfEj6QonVs4/SqTApcOsrCP6Jxy0OqmyKNy6bgps+
+vmzaQl0/I7d/JEclNpXFl8BdxWsXL354KhI83/JKftP33cjA5p9y4Yor9nG5EAFx
+8YpJ1MQtjVu2S0fyxhvCGSsaepob5R4Wzb3q5uRsGbU2RMwqXNbyOlLOaETD1FSC
+17CUlhlbHpMGss4B09S8
+=j7hV
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Jan 27 06:38:29 2015 (r46234)
+++ head/share/xml/advisories.xml Tue Jan 27 19:53:31 2015 (r46235)
@@ -11,6 +11,18 @@
<name>1</name>
<day>
+ <name>27</name>
+
+ <advisory>
+ <name>FreeBSD-SA-15:03.sctp</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-15:02.kmem</name>
+ </advisory>
+ </day>
+
+ <day>
<name>14</name>
<advisory>
More information about the svn-doc-all
mailing list