BUGTRAQ ID: 33113
Linux Kernel是开放源码操作系统Linux所使用的内核。
如果Linux接收到了设置有畸形流ID的FWD-TSN块的话,sctp就不会执行有效性检查,这可能导致在覆盖流ID的TSN时出现溢出。
可通过以下代码路径触发这个溢出:
sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd -> verb(如SCTP_CMD_PROCESS_FWDTSN)
linux-2.6:net/sctp/sm_sideeffect.c:
1079 /* This is the side-effect interpreter. */
1080 static int sctp_cmd_interpreter(sctp_event_t event_type,
1081 sctp_subtype_t subtype,
1082 sctp_state_t state,
1083 struct sctp_endpoint *ep,
1084 struct sctp_association *asoc,
1085 void *event_arg,
1086 sctp_disposition_t status,
1087 sctp_cmd_seq_t *commands,
1088 gfp_t gfp)
1089 {
[...]
1112 while (NULL != (cmd = sctp_next_cmd(commands))) {
1113 switch (cmd->verb) {
[...]
1170 case SCTP_CMD_PROCESS_FWDTSN:
1171 sctp_cmd_process_fwdtsn(&asoc->ulpq,
cmd->obj.ptr);
823 /* Process variable FWDTSN chunk information. */
824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq,
825 struct sctp_chunk *chunk)
826 {
827 struct sctp_fwdtsn_skip *skip;
828 /* Walk through all the skipped SSNs */
829 sctp_walk_fwdtsn(skip, chunk) {
830 sctp_ulpq_skip(ulpq, ntohs(skip->stream),
ntohs(skip->ssn));
linux-2.6:net/sctp/ulpqueue.c:
936 /* Skip over an SSN. This is used during the processing of
937 * Forwared TSN chunk to skip over the abandoned ordered data
938 */
939 void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn)
940 {
941 struct sctp_stream *in;
942
943 /* Note: The stream ID must be verified before this routine. */
944 in = &ulpq->asoc->ssnmap->in;
945
946 /* Is this an old SSN? If so ignore. */
947 if (SSN_lt(ssn, sctp_ssn_peek(in, sid)))
948 return;
949
950 /* Mark that we are no longer expecting this SSN or lower. */
951 sctp_ssn_skip(in, sid, ssn);
linux-2.6:include/net/sctp/structs.h:
514 /* Skip over this ssn and all below. */
515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id,
516 __u16 ssn)
517 {
518 stream->ssn[id] = ssn+1;
Linux kernel 2.6.x
厂商补丁:
Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
228
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
