Date: Thu, 22 Aug 2013 00:51:57 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r254632 - in releng: 8.3 8.3/sys/conf 8.3/sys/netinet 8.3/sys/netinet6 8.4 8.4/sys/conf 8.4/sys/netinet 8.4/sys/netinet6 Message-ID: <201308220051.r7M0pvxU012892@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Aug 22 00:51:56 2013 New Revision: 254632 URL: http://svnweb.freebsd.org/changeset/base/254632 Log: Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. [13:09] Fix a bug that could lead to kernel memory disclosure with SCTP state cookie. [13:10] Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast Security: CVE-2013-5209 Security: FreeBSD-SA-13:10.sctp Approved by: so Modified: releng/8.3/UPDATING releng/8.3/sys/conf/newvers.sh releng/8.3/sys/netinet/in_mcast.c releng/8.3/sys/netinet/sctp_output.c releng/8.3/sys/netinet6/in6_mcast.c releng/8.4/UPDATING releng/8.4/sys/conf/newvers.sh releng/8.4/sys/netinet/in_mcast.c releng/8.4/sys/netinet/sctp_output.c releng/8.4/sys/netinet6/in6_mcast.c Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.3/UPDATING Thu Aug 22 00:51:56 2013 (r254632) @@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130822: p10 FreeBSD-SA-13:09.ip_multicast + FreeBSD-SA-13:10.sctp + Fix an integer overflow in computing the size of a temporary buffer + can result in a buffer which is too small for the requested + operation. [13:09] + + Fix a bug that could lead to kernel memory disclosure with + SCTP state cookie. [13:10] + 20130429: p9 FreeBSD-SA-13:08.nfsserver Fix a bug that allows remote client bypass the normal access checks when when -network or -host restrictions are Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.3/sys/conf/newvers.sh Thu Aug 22 00:51:56 2013 (r254632) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.3/sys/netinet/in_mcast.c ============================================================================== --- releng/8.3/sys/netinet/in_mcast.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.3/sys/netinet/in_mcast.c Thu Aug 22 00:51:56 2013 (r254632) @@ -1613,6 +1613,8 @@ inp_get_source_filters(struct inpcb *inp * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, Modified: releng/8.3/sys/netinet/sctp_output.c ============================================================================== --- releng/8.3/sys/netinet/sctp_output.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.3/sys/netinet/sctp_output.c Thu Aug 22 00:51:56 2013 (r254632) @@ -5456,6 +5456,14 @@ do_a_abort: } SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk); + /* + * We might not overwrite the identification[] completely and on + * some platforms time_entered will contain some padding. Therefore + * zero out the cookie to avoid putting uninitialized memory on the + * wire. + */ + memset(&stc, 0, sizeof(struct sctp_state_cookie)); + /* the time I built cookie */ (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered); Modified: releng/8.3/sys/netinet6/in6_mcast.c ============================================================================== --- releng/8.3/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.3/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:56 2013 (r254632) @@ -1624,6 +1624,8 @@ in6p_get_source_filters(struct inpcb *in * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.4/UPDATING Thu Aug 22 00:51:56 2013 (r254632) @@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130822: p3 FreeBSD-SA-13:09.ip_multicast + FreeBSD-SA-13:10.sctp + Fix an integer overflow in computing the size of a temporary buffer + can result in a buffer which is too small for the requested + operation. [13:09] + + Fix a bug that could lead to kernel memory disclosure with + SCTP state cookie. [13:10] + 20130726: p2 FreeBSD-SA-13:07.bind Fix Denial of Service vulnerability in named(8). Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.4/sys/conf/newvers.sh Thu Aug 22 00:51:56 2013 (r254632) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.4/sys/netinet/in_mcast.c ============================================================================== --- releng/8.4/sys/netinet/in_mcast.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.4/sys/netinet/in_mcast.c Thu Aug 22 00:51:56 2013 (r254632) @@ -1613,6 +1613,8 @@ inp_get_source_filters(struct inpcb *inp * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, Modified: releng/8.4/sys/netinet/sctp_output.c ============================================================================== --- releng/8.4/sys/netinet/sctp_output.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.4/sys/netinet/sctp_output.c Thu Aug 22 00:51:56 2013 (r254632) @@ -5414,6 +5414,14 @@ do_a_abort: } SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk); + /* + * We might not overwrite the identification[] completely and on + * some platforms time_entered will contain some padding. Therefore + * zero out the cookie to avoid putting uninitialized memory on the + * wire. + */ + memset(&stc, 0, sizeof(struct sctp_state_cookie)); + /* the time I built cookie */ (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered); Modified: releng/8.4/sys/netinet6/in6_mcast.c ============================================================================== --- releng/8.4/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:48 2013 (r254631) +++ releng/8.4/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:56 2013 (r254632) @@ -1624,6 +1624,8 @@ in6p_get_source_filters(struct inpcb *in * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308220051.r7M0pvxU012892>