[arch-security] sctp:sk_ack_backlog wrap-around problem

Mark Lee mark at markelee.com
Fri Jun 27 15:00:37 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Salutations,

To all, please see below for cve request on oss-security.

Regards,
Mark

> Description of the problem:
> For a TCP-style socket, while processing the COOKIE_ECHO chunk in
> sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a
> new association would be created in sctp_unpack_cookie(), but
> afterwards, some processing maybe failed, and sctp_association_free()
> will be called to free the previously allocated association, in
> sctp_association_free(), sk_ack_backlog value is decremented for this
> socket, since the initial value for sk_ack_backlog is 0, after
> the decrement, it will be 65535, a wrap-around problem happens, and
> if we want to establish new associations afterward in the same
> socket, ABORT would be triggered since sctp deem the accept queue as
> full.
> 
> A remote attacker can block further connection to the particular sctp
> server socket by sending a specially crafted sctp packet. 
> 
> Upstream patch:
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1113967
> 
> Thanks,
> -- Petr Matousek / Red Hat Product Security PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlOtv1QACgkQZ/Z80n6+J/aYmwD9GzejDSu/l41OV5dgIes8Xy7C
Vr3zSrDFm1/M0Ur+yUUA/RgT1i8XfMefZrxXf8Mz50QyDEZDL94/h3TzNKdntQka
=WrWf
-----END PGP SIGNATURE-----


More information about the arch-security mailing list