| commit | 25958c671804a3829d822fc3ccc3eff534b1aaa0 | |
| author | Vladislav Yasevich <vladsilav.yasevich@hp.com> | |
| Sat, 6 May 2006 00:03:49 +0000 (5 17:03 -0700) | ||
| committer | Chris Wright <chrisw@sous-sol.org> | |
| Tue, 9 May 2006 19:53:21 +0000 (9 12:53 -0700) | ||
| tree | ca580d5d14ac5c9861d4a710fa1252ff089fe552 | treesnapshot (tar.gz zip) |
| parent | 2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c | commitdiff |
[PATCH] SCTP: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
There is a rare situation that causes lksctp to go into infinite recursion
and crash the system. The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself. This causes
sctp_skb_pull() to potentially recurse indefinitely.
Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.
Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
There is a rare situation that causes lksctp to go into infinite recursion
and crash the system. The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself. This causes
sctp_skb_pull() to potentially recurse indefinitely.
Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.
Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
| net/sctp/ulpqueue.c | diffblobblamehistory |