From owner-svn-doc-head@FreeBSD.ORG Tue Jan 27 19:53:33 2015 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D1A89B2C; Tue, 27 Jan 2015 19:53:33 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA927D37; Tue, 27 Jan 2015 19:53:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJrXTF024795; Tue, 27 Jan 2015 19:53:33 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0RJrWL0024785; Tue, 27 Jan 2015 19:53:32 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201501271953.t0RJrWL0024785@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 27 Jan 2015 19:53:32 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46235 - in head/share: security/advisories security/patches/SA-15:02 security/patches/SA-15:03 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:53:33 -0000 Author: delphij Date: Tue Jan 27 19:53:31 2015 New Revision: 46235 URL: https://svnweb.freebsd.org/changeset/doc/46235 Log: Add advisories and patches for SA-15:02.kmem and SA-15:03.sctp. Added: head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc (contents, props changed) head/share/security/patches/SA-15:02/ head/share/security/patches/SA-15:02/sctp.patch (contents, props changed) head/share/security/patches/SA-15:02/sctp.patch.asc (contents, props changed) head/share/security/patches/SA-15:03/ head/share/security/patches/SA-15:03/sctp.patch (contents, props changed) head/share/security/patches/SA-15:03/sctp.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:02.kmem Security Advisory + The FreeBSD Project + +Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure + +Category: core +Module: sctp +Announced: 2015-01-27 +Credits: Clement LECIGNE from Google Security Team and + Francisco Falcon from Core Security Technologies +Affects: All supported versions of FreeBSD. +Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) + 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) + 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) + 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) + 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) + 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) + 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) +CVE Name: CVE-2014-8612 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +SCTP protocol provides reliable, flow-controlled, two-way transmission +of data. It is a message oriented protocol and can support the SOCK_STREAM +and SOCK_SEQPACKET abstractions. + +SCTP allows the user to choose between multiple scheduling algorithms to +optimize the sending behavior of SCTP in scenarios with different +requirements. + +II. Problem Description + +Due to insufficient validation of the SCTP stream ID, which serves as an array +index, a local unprivileged attacker can read or write 16-bits of kernel +memory. + +III. Impact + +An unprivileged process can read or modify 16-bits of memory which +belongs to the kernel. This smay lead to exposure of sensitive +information or allow privilege escalation. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch +# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc +# gpg --verify sctp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r277807 +releng/8.4/ r277808 +stable/9/ r277807 +releng/9.3/ r277808 +stable/10/ r277807 +releng/10.0/ r277808 +releng/10.1/ r277808 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +We would like to acknowledge Clement LECIGNE from Google Security Team and +Francisco Falcon from Core Security Technologies who discovered the issue +independently and reported to the FreeBSD Security Team. + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJUx+qPAAoJEO1n7NZdz2rndPwQAJYuUZhkBqt6Lj0Wnuu220QL +OwMQAVBDggfNMJj5GCMRYqniARGg53UpzBjbKyen9N7tQtjgF6ll9EcWQhUdQSSl +07iCLGkn7kAu5jRO7+S/fJLXaUBfo+KfrUakHBdrWGKD0VVp/DDMbjbzZWl8Yw0S +7g0tqSmNcR1uUbAAsSXUfN9N/8OZzkqCiDvmVcFtalw1CjFyl6XbYXxNS+/j7LrU +YQBJdz9F/X/oPe19VQ36olZWzTdlSLwa/ylwNW7O6K5NdoCq73Co4IDL0gkAgtdQ +s4A7h4UwEoYleRRX+g9Rbeq2tz9FwfIwSferFRF5/1thc0cVJ2e/oDq9lmzyepwa +rbH8jy/TMtSKHlali8I3w6KYfqRFs6whS9Bud1b0SgrqqZizsO64BbvSzkELxHJl +PMUPHHCh3w0CXnRcaxC+rY/kazPZeRzebMaxQLAV0KTEVp0aSGw7FBtEE+ldrHUd +rp1bLESjTjtagr1K1UsCKKZr/t9RSHSZ1I6vfxBPUsUu7oUgd+aOmEpiyYKxna0y +vS5ECCrJG4k9fsQ1emyB5NhROYCXdq2CavfWWOOi3LoUhVvh34N27HVZlqv2m3Y9 +sM20xOB3dSx3ufsv19nAclVpL76Pu7fD/MNe+lhUk1KKgqx0L7vdiJfMIrafLYsR +V2Rre46fapln8T+wvhQP +=o9yw +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:03.sctp Security Advisory + The FreeBSD Project + +Topic: SCTP stream reset vulnerability + +Category: core +Module: sctp +Announced: 2015-01-27 +Credits: Gerasimos Dimitriadis +Affects: All supported versions of FreeBSD. +Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) + 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) + 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) + 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) + 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) + 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) + 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) +CVE Name: CVE-2014-8613 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +SCTP protocol provides reliable, flow-controlled, two-way transmission +of data. It is a message oriented protocol and can support the SOCK_STREAM +and SOCK_SEQPACKET abstractions. + +II. Problem Description + +The input validation of received SCTP RE_CONFIG chunks is insufficient, +and can result in a NULL pointer deference later. + +III. Impact + +A remote attacker who can send a malformed SCTP packet to a FreeBSD system +that serves SCTP can cause a kernel panic, resulting in a Denial of +Service. + +IV. Workaround + +On FreeBSD 10.1 or later systems, the system administrator can set +net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG +chunks. This workaround is not available on earlier FreeBSD releases, +but systems that do not serve SCTP connections are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch +# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc +# gpg --verify sctp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r277807 +releng/8.4/ r277808 +stable/9/ r277807 +releng/9.3/ r277808 +stable/10/ r277807 +releng/10.0/ r277808 +releng/10.1/ r277808 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub +DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6 +eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6 +sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj +QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu +BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0 +2mZYLoCrSHfBongLMohs4DQ8CCnH3iEoUBRbG9HGwlAh4s9CAre87oIdHHFWRSsg +oIHxNDG+lk+yNJuOKfjDT+poyuYw7TlBfYN+ifO5UHPOEIH430FWF3B3P2oH4I/M +7VQRClaxaNiPfAJxa11IwHKWM12yrrM7483AuPqdd1r9OUnx33y1jPY0ByemXv9d +LE8jJXs0cdR7zCJuV9R8Uif9xkdGLTj9emsqjaS1KxSJrSzPJaah4nkWq8BRmMXK +3xOxlIM/cGJLU+/cliDy3CqHipU4pt+S4RuAB41xx2k5g9YiAMH178xrfOgrklSH +xKfAM/gz4YqESK5QPjqO +=859G +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:02/sctp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:02/sctp.patch Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,45 @@ +Index: sys/netinet/sctp_usrreq.c +=================================================================== +--- sys/netinet/sctp_usrreq.c (revision 277788) ++++ sys/netinet/sctp_usrreq.c (working copy) +@@ -1863,8 +1863,9 @@ flags_out: + SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize); + SCTP_FIND_STCB(inp, stcb, av->assoc_id); + if (stcb) { +- if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], +- &av->stream_value) < 0) { ++ if ((av->stream_id >= stcb->asoc.streamoutcnt) || ++ (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], ++ &av->stream_value) < 0)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + } else { +@@ -4032,8 +4033,9 @@ sctp_setopt(struct socket *so, int optname, void * + SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize); + SCTP_FIND_STCB(inp, stcb, av->assoc_id); + if (stcb) { +- if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], +- av->stream_value) < 0) { ++ if ((av->stream_id >= stcb->asoc.streamoutcnt) || ++ (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], ++ av->stream_value) < 0)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + } +@@ -4043,10 +4045,12 @@ sctp_setopt(struct socket *so, int optname, void * + SCTP_INP_RLOCK(inp); + LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) { + SCTP_TCB_LOCK(stcb); +- stcb->asoc.ss_functions.sctp_ss_set_value(stcb, +- &stcb->asoc, +- &stcb->asoc.strmout[av->stream_id], +- av->stream_value); ++ if (av->stream_id < stcb->asoc.streamoutcnt) { ++ stcb->asoc.ss_functions.sctp_ss_set_value(stcb, ++ &stcb->asoc, ++ &stcb->asoc.strmout[av->stream_id], ++ av->stream_value); ++ } + SCTP_TCB_UNLOCK(stcb); + } + SCTP_INP_RUNLOCK(inp); Added: head/share/security/patches/SA-15:02/sctp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:02/sctp.patch.asc Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rn0EgP/0JAL3PGZvxezFy8oCtccfmK +8puU1nlEVq4f0CETGqH1x1bd/P5kMFtC6JAaGbXg4xk2BAi5PLLUf4jPEXu9V8Ok +a2IJ3uuVUAEmrccdyDq4N9ahrnODGNf0nsR6QhcZYJGWg5GoMeHQbMTIVLkF7yHz +5NztDnQO6YuWHYkOFw92zMxNxijH5rUBRbRPfgBxn+6YWL8aabWwrShNmWSIZykb +5NDVYwjl0WozEh0NNdXHwOi+14hUIWCAaNmxHBgkxursQI8G0/js8xLbf/ehVU8d +MuRtVRB1jWCjEIo/Uat6A5Uy6wwCZsTeIFU7RwVYPmF2LtMxYdPP8V6NINErSn/d +wcaRawS9pmbKHmRR3Xk4hnuLpbewu0qB+TS/z1UNCaoSsv//MuSFt4NTMafMMnee +PuwZXPtrjIpCLLDpWZ9o79eX3v3VnmMx2P3Cu+UADoDs/nhWMC0liJ3AlGQBFwso +Z2lXiaujjsqb4JY2VonySuRxkByO/AbJqc9BP+cN2H8EHgzZLUs+ACcmE9O8y/Th +gIWvszlu2gWVyhONIxUD39DGfTCfhQLgMWSaVtQOBL0BEltRJGjYn/RrbZjffGeo +RHG5Gp2212hclgES/mIbfknECixa8VK0u/+AlWmGW5Oahux/pDMnxuRqD9DkfEDS +BSWdWxJZ4q5YDH7GAvyP +=ZyyZ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:03/sctp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:03/sctp.patch Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,119 @@ +Index: sys/netinet/sctp_input.c +=================================================================== +--- sys/netinet/sctp_input.c (revision 277788) ++++ sys/netinet/sctp_input.c (working copy) +@@ -3649,6 +3649,9 @@ sctp_handle_stream_reset_response(struct sctp_tcb + /* huh ? */ + return (0); + } ++ if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) { ++ return (0); ++ } + if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { + resp = (struct sctp_stream_reset_response_tsn *)respin; + asoc->stream_reset_outstanding--; +@@ -4037,7 +4040,7 @@ __attribute__((noinline)) + sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, + struct sctp_chunkhdr *ch_req) + { +- int chk_length, param_len, ptype; ++ uint16_t remaining_length, param_len, ptype; + struct sctp_paramhdr pstore; + uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; + uint32_t seq = 0; +@@ -4050,7 +4053,7 @@ __attribute__((noinline)) + int num_param = 0; + + /* now it may be a reset or a reset-response */ +- chk_length = ntohs(ch_req->chunk_length); ++ remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr); + + /* setup for adding the response */ + sctp_alloc_a_chunk(stcb, chk); +@@ -4088,20 +4091,27 @@ strres_nochunk: + ch->chunk_length = htons(chk->send_size); + SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); + offset += sizeof(struct sctp_chunkhdr); +- while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { ++ while (remaining_length >= sizeof(struct sctp_paramhdr)) { + ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); +- if (ph == NULL) ++ if (ph == NULL) { ++ /* TSNH */ + break; ++ } + param_len = ntohs(ph->param_length); +- if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { +- /* bad param */ ++ if ((param_len > remaining_length) || ++ (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) { ++ /* bad parameter length */ + break; + } +- ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), ++ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)), + (uint8_t *) & cstore); ++ if (ph == NULL) { ++ /* TSNH */ ++ break; ++ } + ptype = ntohs(ph->param_type); + num_param++; +- if (param_len > (int)sizeof(cstore)) { ++ if (param_len > sizeof(cstore)) { + trunc = 1; + } else { + trunc = 0; +@@ -4113,6 +4123,9 @@ strres_nochunk: + if (ptype == SCTP_STR_RESET_OUT_REQUEST) { + struct sctp_stream_reset_out_request *req_out; + ++ if (param_len < sizeof(struct sctp_stream_reset_out_request)) { ++ break; ++ } + req_out = (struct sctp_stream_reset_out_request *)ph; + num_req++; + if (stcb->asoc.stream_reset_outstanding) { +@@ -4126,6 +4139,9 @@ strres_nochunk: + } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) { + struct sctp_stream_reset_add_strm *str_add; + ++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { ++ break; ++ } + str_add = (struct sctp_stream_reset_add_strm *)ph; + num_req++; + sctp_handle_str_reset_add_strm(stcb, chk, str_add); +@@ -4132,6 +4148,9 @@ strres_nochunk: + } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) { + struct sctp_stream_reset_add_strm *str_add; + ++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { ++ break; ++ } + str_add = (struct sctp_stream_reset_add_strm *)ph; + num_req++; + sctp_handle_str_reset_add_out_strm(stcb, chk, str_add); +@@ -4156,6 +4175,9 @@ strres_nochunk: + struct sctp_stream_reset_response *resp; + uint32_t result; + ++ if (param_len < sizeof(struct sctp_stream_reset_response)) { ++ break; ++ } + resp = (struct sctp_stream_reset_response *)ph; + seq = ntohl(resp->response_seq); + result = ntohl(resp->result); +@@ -4167,7 +4189,11 @@ strres_nochunk: + break; + } + offset += SCTP_SIZE32(param_len); +- chk_length -= SCTP_SIZE32(param_len); ++ if (remaining_length >= SCTP_SIZE32(param_len)) { ++ remaining_length -= SCTP_SIZE32(param_len); ++ } else { ++ remaining_length = 0; ++ } + } + if (num_req == 0) { + /* we have no response free the stuff */ Added: head/share/security/patches/SA-15:03/sctp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:03/sctp.patch.asc Tue Jan 27 19:53:31 2015 (r46235) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rng3MP/3a6EgYQFrHJZ0f89jJh+tgC +tnj7NSHGAYI4LjwqBMLngfwVw7lzqd46dE9VUc5E123RE7HOwYCkllebWKkQdMxa +6NvCxmIT0jRcmMb2TWteS6Tp1DE7I2COJHBA4BLN0T+3/KwgvSEU3p1947uumlL1 +m7qh69thHqi5tbqLkBh6j5CVPZj/hM+wBX+GRHm4s6Bo/NsnVWS2iCscsiOYFylP +IIYl8puXa8zv4EV/Jqco779BpJ71Bqr+zIcOq9uf8dcWAHrOTCYx85e4xNQ2sCmB +KlA8kYqdFR4XdgSJC9UhMpq9V206+wjAUiJz1JvpEd2+IaEs1RyFDl3MUxQoWDHU +cXS1Bg9/z/mP1PzC4XQxSgcqgjD3q94AoOLKIFLsdvqXZ4aQ8VXrWAm0hAC4DMLd +e3t+Np0XXE3IpUEnp50GEqkrAKKkcbvUT40HFqS/v/jHE48X5ISd4vAjFPEd0ANV +5a7IsrYiDDFOLltTuk2zrOfCfEj6QonVs4/SqTApcOsrCP6Jxy0OqmyKNy6bgps+ +vmzaQl0/I7d/JEclNpXFl8BdxWsXL354KhI83/JKftP33cjA5p9y4Yor9nG5EAFx +8YpJ1MQtjVu2S0fyxhvCGSsaepob5R4Wzb3q5uRsGbU2RMwqXNbyOlLOaETD1FSC +17CUlhlbHpMGss4B09S8 +=j7hV +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Jan 27 06:38:29 2015 (r46234) +++ head/share/xml/advisories.xml Tue Jan 27 19:53:31 2015 (r46235) @@ -11,6 +11,18 @@ 1 + 27 + + + FreeBSD-SA-15:03.sctp + + + + FreeBSD-SA-15:02.kmem + + + + 14