[3.13.y.z extended stable] Patch "sctp: Fix sk_ack_backlog wrap-around problem" has been added to staging queue

Mon Jul 21 16:24:12 UTC 2014

This is a note to let you know that I have just added a patch titled

    sctp: Fix sk_ack_backlog wrap-around problem

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.6.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 56ac66c9a283f5c51f310d835edd05ebdbde2ea4 Mon Sep 17 00:00:00 2001
From: Xufeng Zhang <xufeng.zhang at windriver.com>
Date: Thu, 12 Jun 2014 10:53:36 +0800
Subject: sctp: Fix sk_ack_backlog wrap-around problem

commit d3217b15a19a4779c39b212358a5c71d725822ee upstream.

Consider the scenario:
For a TCP-style socket, while processing the COOKIE_ECHO chunk in
sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
a new association would be created in sctp_unpack_cookie(), but afterwards,
some processing maybe failed, and sctp_association_free() will be called to
free the previously allocated association, in sctp_association_free(),
sk_ack_backlog value is decremented for this socket, since the initial
value for sk_ack_backlog is 0, after the decrement, it will be 65535,
a wrap-around problem happens, and if we want to establish new associations
afterward in the same socket, ABORT would be triggered since sctp deem the
accept queue as full.
Fix this issue by only decrementing sk_ack_backlog for associations in
the endpoint's list.

Fix-suggested-by: Neil Horman <nhorman at tuxdriver.com>
Signed-off-by: Xufeng Zhang <xufeng.zhang at windriver.com>
Acked-by: Daniel Borkmann <dborkman at redhat.com>
Acked-by: Vlad Yasevich <vyasevich at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Reference: CVE-2014-4667
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/sctp/associola.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 31ed008..6524fa8 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -372,7 +372,7 @@ void sctp_association_free(struct sctp_association *asoc)
 	/* Only real associations count against the endpoint, so
 	 * don't bother for if this is a temporary association.
 	 */
-	if (!asoc->temp) {
+	if (!list_empty(&asoc->asocs)) {
 		list_del(&asoc->asocs);

 		/* Decrement the backlog value for a TCP-style listening
--
1.9.1



