svn commit: r254632 - in releng: 8.3 8.3/sys/conf 8.3/sys/netinet 8.3/sys/netinet6 8.4 8.4/sys/conf 8.4/sys/netinet 8.4/sys/netinet6
Xin LI
delphij at FreeBSD.org
Thu Aug 22 00:51:59 UTC 2013
Author: delphij
Date: Thu Aug 22 00:51:56 2013
New Revision: 254632
URL: http://svnweb.freebsd.org/changeset/base/254632
Log:
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested
operation. [13:09]
Fix a bug that could lead to kernel memory disclosure with
SCTP state cookie. [13:10]
Security: CVE-2013-3077
Security: FreeBSD-SA-13:09.ip_multicast
Security: CVE-2013-5209
Security: FreeBSD-SA-13:10.sctp
Approved by: so
Modified:
releng/8.3/UPDATING
releng/8.3/sys/conf/newvers.sh
releng/8.3/sys/netinet/in_mcast.c
releng/8.3/sys/netinet/sctp_output.c
releng/8.3/sys/netinet6/in6_mcast.c
releng/8.4/UPDATING
releng/8.4/sys/conf/newvers.sh
releng/8.4/sys/netinet/in_mcast.c
releng/8.4/sys/netinet/sctp_output.c
releng/8.4/sys/netinet6/in6_mcast.c
Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.3/UPDATING Thu Aug 22 00:51:56 2013 (r254632)
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20130822: p10 FreeBSD-SA-13:09.ip_multicast
+ FreeBSD-SA-13:10.sctp
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09]
+
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10]
+
20130429: p9 FreeBSD-SA-13:08.nfsserver
Fix a bug that allows remote client bypass the normal
access checks when when -network or -host restrictions are
Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.3/sys/conf/newvers.sh Thu Aug 22 00:51:56 2013 (r254632)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.3/sys/netinet/in_mcast.c
==============================================================================
--- releng/8.3/sys/netinet/in_mcast.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.3/sys/netinet/in_mcast.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -1613,6 +1613,8 @@ inp_get_source_filters(struct inpcb *inp
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
Modified: releng/8.3/sys/netinet/sctp_output.c
==============================================================================
--- releng/8.3/sys/netinet/sctp_output.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.3/sys/netinet/sctp_output.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -5456,6 +5456,14 @@ do_a_abort:
}
SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ /*
+ * We might not overwrite the identification[] completely and on
+ * some platforms time_entered will contain some padding. Therefore
+ * zero out the cookie to avoid putting uninitialized memory on the
+ * wire.
+ */
+ memset(&stc, 0, sizeof(struct sctp_state_cookie));
+
/* the time I built cookie */
(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
Modified: releng/8.3/sys/netinet6/in6_mcast.c
==============================================================================
--- releng/8.3/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.3/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -1624,6 +1624,8 @@ in6p_get_source_filters(struct inpcb *in
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.4/UPDATING Thu Aug 22 00:51:56 2013 (r254632)
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20130822: p3 FreeBSD-SA-13:09.ip_multicast
+ FreeBSD-SA-13:10.sctp
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09]
+
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10]
+
20130726: p2 FreeBSD-SA-13:07.bind
Fix Denial of Service vulnerability in named(8).
Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.4/sys/conf/newvers.sh Thu Aug 22 00:51:56 2013 (r254632)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.4"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.4/sys/netinet/in_mcast.c
==============================================================================
--- releng/8.4/sys/netinet/in_mcast.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.4/sys/netinet/in_mcast.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -1613,6 +1613,8 @@ inp_get_source_filters(struct inpcb *inp
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
Modified: releng/8.4/sys/netinet/sctp_output.c
==============================================================================
--- releng/8.4/sys/netinet/sctp_output.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.4/sys/netinet/sctp_output.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -5414,6 +5414,14 @@ do_a_abort:
}
SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ /*
+ * We might not overwrite the identification[] completely and on
+ * some platforms time_entered will contain some padding. Therefore
+ * zero out the cookie to avoid putting uninitialized memory on the
+ * wire.
+ */
+ memset(&stc, 0, sizeof(struct sctp_state_cookie));
+
/* the time I built cookie */
(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
Modified: releng/8.4/sys/netinet6/in6_mcast.c
==============================================================================
--- releng/8.4/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:48 2013 (r254631)
+++ releng/8.4/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:56 2013 (r254632)
@@ -1624,6 +1624,8 @@ in6p_get_source_filters(struct inpcb *in
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
More information about the svn-src-all
mailing list