[CVE-2010-4526] sctp: Fix a race between ICMP protocol unreachable and connect()
Tim Gardner
tim.gardner at canonical.com
Tue Jun 21 13:32:17 UTC 2011
On 06/20/2011 12:19 PM, Andy Whitcroft wrote:
> CVE-2010-4526
> Race condition in the sctp_icmp_proto_unreachable function in
> net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows
> remote attackers to cause a denial of service (panic) via an ICMP
> unreachable message to a socket that is already locked by a user,
> which causes the socket to be freed and triggers list corruption,
> related to the sctp_wait_for_connect function.
>
> This is already fixed in everything based on v2.6.34 and above, arriving
> via mainline. Following this email are patches for Hardy, and
> Lucid/ti-omap4.
>
> Note I have no clue how to confirm the backport for Hardy is good as
> the bug seems to be hard to trigger and in a protocol I have no idea how
> to test. Any suggestions welcome.
>
> Proposing for Lucid/ti-omap4, and requesting testing help for Hardy.
>
> -apw
>
It looks like this is a race when an SCTP socket is owned or is being
shut down whilst a connection is being attempted. You ought to be able
to test by continuously opening and closing a specific port while
simultaneously and continuously attempting to connect to the port from a
networked machine.
My perl foo has atrophied, but I'll bet _you_ could whip out a simple
pair of loops to exercise this situation.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list