BUGTRAQ ID: 33113 Linux Kernel是开放源码操作系统Linux所使用的内核。 如果Linux接收到了设置有畸形流ID的FWD-TSN块的话,sctp就不会执行有效性检查,这可能导致在覆盖流ID的TSN时出现溢出。 可通过以下代码路径触发这个溢出: sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd -> verb(如SCTP_CMD_PROCESS_FWDTSN) linux-2.6:net/sctp/sm_sideeffect.c: 1079 /* This is the side-effect interpreter. */ 1080 static int sctp_cmd_interpreter(sctp_event_t event_type, 1081 sctp_subtype_t subtype, 1082 sctp_state_t state, 1083 struct sctp_endpoint *ep, 1084 struct sctp_association *asoc, 1085 void *event_arg, 1086 sctp_disposition_t status, 1087 sctp_cmd_seq_t *commands, 1088 gfp_t gfp) 1089 { [...] 1112 while (NULL != (cmd = sctp_next_cmd(commands))) { 1113 switch (cmd->verb) { [...] 1170 case SCTP_CMD_PROCESS_FWDTSN: 1171 sctp_cmd_process_fwdtsn(&asoc->ulpq, cmd->obj.ptr); 823 /* Process variable FWDTSN chunk information. */ 824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq, 825 struct sctp_chunk...
BUGTRAQ ID: 33113 Linux Kernel是开放源码操作系统Linux所使用的内核。 如果Linux接收到了设置有畸形流ID的FWD-TSN块的话,sctp就不会执行有效性检查,这可能导致在覆盖流ID的TSN时出现溢出。 可通过以下代码路径触发这个溢出: sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd -> verb(如SCTP_CMD_PROCESS_FWDTSN) linux-2.6:net/sctp/sm_sideeffect.c: 1079 /* This is the side-effect interpreter. */ 1080 static int sctp_cmd_interpreter(sctp_event_t event_type, 1081 sctp_subtype_t subtype, 1082 sctp_state_t state, 1083 struct sctp_endpoint *ep, 1084 struct sctp_association *asoc, 1085 void *event_arg, 1086 sctp_disposition_t status, 1087 sctp_cmd_seq_t *commands, 1088 gfp_t gfp) 1089 { [...] 1112 while (NULL != (cmd = sctp_next_cmd(commands))) { 1113 switch (cmd->verb) { [...] 1170 case SCTP_CMD_PROCESS_FWDTSN: 1171 sctp_cmd_process_fwdtsn(&asoc->ulpq, cmd->obj.ptr); 823 /* Process variable FWDTSN chunk information. */ 824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq, 825 struct sctp_chunk *chunk) 826 { 827 struct sctp_fwdtsn_skip *skip; 828 /* Walk through all the skipped SSNs */ 829 sctp_walk_fwdtsn(skip, chunk) { 830 sctp_ulpq_skip(ulpq, ntohs(skip->stream), ntohs(skip->ssn)); linux-2.6:net/sctp/ulpqueue.c: 936 /* Skip over an SSN. This is used during the processing of 937 * Forwared TSN chunk to skip over the abandoned ordered data 938 */ 939 void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn) 940 { 941 struct sctp_stream *in; 942 943 /* Note: The stream ID must be verified before this routine. */ 944 in = &ulpq->asoc->ssnmap->in; 945 946 /* Is this an old SSN? If so ignore. */ 947 if (SSN_lt(ssn, sctp_ssn_peek(in, sid))) 948 return; 949 950 /* Mark that we are no longer expecting this SSN or lower. */ 951 sctp_ssn_skip(in, sid, ssn); linux-2.6:include/net/sctp/structs.h: 514 /* Skip over this ssn and all below. */ 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id, 516 __u16 ssn) 517 { 518 stream->ssn[id] = ssn+1; Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95 target=_blank rel=external nofollow>http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95</a>
