First published: Fri Jun 27 2014(Updated: )
Description of the problem: For a TCP-style socket, while processing the COOKIE_ECHO chunk in sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a new association would be created in sctp_unpack_cookie(), but afterwards, some processing maybe failed, and sctp_association_free() will be called to free the previously allocated association, in sctp_association_free(), sk_ack_backlog value is decremented for this socket, since the initial value for sk_ack_backlog is 0, after the decrement, it will be 65535, a wrap-around problem happens, and if we want to establish new associations afterward in the same socket, ABORT would be triggered since sctp deem the accept queue as full. A remote attacker can block further connection to the particular sctp server socket by sending a specially crafted sctp packet. Upstream patch: <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee">https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee</a> Acknowledgements: Red Hat would like to thank Gopal Reddy Kodudula of Nokia Siemens Networks for reporting this issue.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <3.15.2 | |
SUSE Linux Enterprise Desktop | =11-sp3 | |
Suse Linux Enterprise Real Time Extension | =11-sp3 | |
SUSE Linux Enterprise Server | =10-sp4 | |
SUSE Linux Enterprise Server | =11-sp3 | |
Suse Linux Enterprise Server | =11-sp3 | |
Canonical Ubuntu Linux | =12.04 | |
Debian Debian Linux | =7.0 | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.3-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.