aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2013-08-22 00:51:56 +0000
committerXin LI <delphij@FreeBSD.org>2013-08-22 00:51:56 +0000
commite72a33b081cc5ff2ccfbeb6eb899e5cd3112528b (patch)
treee5fe7ac55579da3b3d2e8ac078ceb2cb2da32152
parent4a5eb317bb06df4148335a805dd4b0fce1e27437 (diff)
downloadsrc-e72a33b081cc5ff2ccfbeb6eb899e5cd3112528b.tar.gz
src-e72a33b081cc5ff2ccfbeb6eb899e5cd3112528b.zip
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested operation. [13:09] Fix a bug that could lead to kernel memory disclosure with SCTP state cookie. [13:10] Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast Security: CVE-2013-5209 Security: FreeBSD-SA-13:10.sctp Approved by: so
Notes
Notes: svn path=/releng/8.3/; revision=254632
-rw-r--r--UPDATING9
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netinet/in_mcast.c2
-rw-r--r--sys/netinet/sctp_output.c8
-rw-r--r--sys/netinet6/in6_mcast.c2
5 files changed, 22 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index d87861199ab8..44fb89ff04bb 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20130822: p10 FreeBSD-SA-13:09.ip_multicast
+ FreeBSD-SA-13:10.sctp
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09]
+
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10]
+
20130429: p9 FreeBSD-SA-13:08.nfsserver
Fix a bug that allows remote client bypass the normal
access checks when when -network or -host restrictions are
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 6783d1ff9b23..1c2eb32c7f20 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c
index 811d935ba995..68e75a8a2d34 100644
--- a/sys/netinet/in_mcast.c
+++ b/sys/netinet/in_mcast.c
@@ -1613,6 +1613,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt)
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index f2aa264b78b9..6c6e39d7b905 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -5456,6 +5456,14 @@ do_a_abort:
}
SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ /*
+ * We might not overwrite the identification[] completely and on
+ * some platforms time_entered will contain some padding. Therefore
+ * zero out the cookie to avoid putting uninitialized memory on the
+ * wire.
+ */
+ memset(&stc, 0, sizeof(struct sctp_state_cookie));
+
/* the time I built cookie */
(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c
index 456301fe7b87..60965326b9c4 100644
--- a/sys/netinet6/in6_mcast.c
+++ b/sys/netinet6/in6_mcast.c
@@ -1624,6 +1624,8 @@ in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt)
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,