Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0322: git/torvalds/linux.git - Linux kernel source tree

A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).

CVE
Open in Source
#linux#dos#git

author

Eiichi Tsukata [email protected]

2021-10-13 17:27:29 -0300

committer

Jakub Kicinski [email protected]

2021-10-14 07:15:22 -0700

commit

a2d859e3fc97e79d907761550dbc03ff1b36479c (patch)

tree

762d3c2ad7eb91f34ac85e45988620d22ca7b940

parent

332fdf951df8b870e3da86b122ae304e2aabe88c (diff)

download

linux-a2d859e3fc97e79d907761550dbc03ff1b36479c.tar.gz

sctp: account stream padding length for reconf chunk

sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk() which will automatically account for padding on each call. inreq and outreq are already 4 bytes aligned, but the payload is not and doing SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to possible attempt to use more buffer than it was allocated and triggered a BUG_ON. Cc: Vlad Yasevich [email protected] Cc: Neil Horman [email protected] Cc: Greg KH [email protected] Fixes: cc16f00f6529 (“sctp: add support for generating stream reconf ssn reset request chunk”) Reported-by: Eiichi Tsukata [email protected] Signed-off-by: Eiichi Tsukata [email protected] Signed-off-by: Marcelo Ricardo Leitner [email protected] Signed-off-by: Marcelo Ricardo Leitner [email protected] Reviewed-by: Xin Long [email protected] Link: https://lore.kernel.org/r/b97c1f8b0c7ff79ac4ed206fc2c49d3612e0850c.1634156849.git.mleitner@redhat.com Signed-off-by: Jakub Kicinski [email protected]

-rw-r–r--

net/sctp/sm_make_chunk.c

2

1 files changed, 1 insertions, 1 deletions

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index b8fa8f1a72770…c7503fd649159 100644
— a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c

@@ -3697,7 +3697,7 @@ struct sctp_chunk *sctp_make_strreset_req(

outlen = (sizeof(outreq) + stream_len) * out;

inlen = (sizeof(inreq) + stream_len) * in;

- retval = sctp_make_reconf(asoc, outlen + inlen);

+ retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen));

if (!retval)

return NULL;

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE