| #
009e81b1 |
| 22-Jan-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFH @r294567
|
| #
7f38eb34 |
| 15-Jan-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r293850 through r294089.
|
| #
a11378bd |
| 14-Jan-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|
| #
47979581 |
| 14-Jan-2016 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Verify the packet length in sctp6_input().
The sctp6_ctlinput() function does not properly check the length of the packet
it receives from the ICMP6 input routine. This means that an attacker can cr
Verify the packet length in sctp6_input().
The sctp6_ctlinput() function does not properly check the length of the packet
it receives from the ICMP6 input routine. This means that an attacker can craft
a packet that will cause a kernel panic.
When the kernel receives an ICMP6 error message with one of the types/codes
it handles, it calls icmp6_notify_error() to deliver it to the upper-level
protocol. icmp6_notify_error() cycles through the extension headers (if any)
to find the protocol number of the first non-extension header. It does NOT
verify the length of the non-extension header.
It passes information about the packet (including the actual packet) to the
upper-level protocol's pr_ctlinput function. In the case of SCTP for IPv6,
icmp6_notify_error() calls sctp6_ctlinput().
sctp6_ctlinput() assumes that the incoming packet contains a sufficiently-long
SCTP header and calls m_copydata() to extract a copy of that header. In turn,
m_copydata() assumes that the caller has already verified that the offset and
length parameters are correct. If they are incorrect, it will dereference a
NULL pointer and cause a kernel panic.
In short, no one is sufficiently verifying the input, and the result is a
kernel panic.
Submitted by: jtl
Security: SA-16:01.sctp
show more ...
|
| #
b626f5a7 |
| 04-Jan-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH r289384-r293170
Sponsored by: The FreeBSD Foundation
|
| #
9a7cd2e6 |
| 22-Dec-2015 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFH @r292599
This includes the pluggable TCP framework and other chnages to the
netstack to track for VNET stability.
Security: The FreeBSD Foundation
|
| #
c979034b |
| 06-Dec-2015 |
Michael Tuexen <tuexen@FreeBSD.org> |
Fix the allocation of outgoing streams:
* When processing a cookie, use the number of
streams announced in the INIT-ACK.
* When sending an INIT-ACK for an existing
association, use the value from
Fix the allocation of outgoing streams:
* When processing a cookie, use the number of
streams announced in the INIT-ACK.
* When sending an INIT-ACK for an existing
association, use the value from the association,
not from the end-point.
MFC after: 1 week
show more ...
|
| #
f94594b3 |
| 12-Sep-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Finish merging from head, messed up in previous attempt
|
| #
ab875b71 |
| 14-Aug-2015 |
Navdeep Parhar <np@FreeBSD.org> |
Catch up with head, primarily for the 1.14.4.0 firmware.
|
|
Revision tags: release/10.2.0 |
|
| #
5f78ec1c |
| 28-Jul-2015 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r285793 through r285923.
|
| #
4ff815b7 |
| 25-Jul-2015 |
Michael Tuexen <tuexen@FreeBSD.org> |
Move including netinet/icmp6.h around to avoid a problem when including
netinet/icmp6.h and net/netmap.h. Both use ni_flags...
This allows to build multistack with SCTP support.
MFC after: 1 week
|
| #
416ba5c7 |
| 22-Jun-2015 |
Navdeep Parhar <np@FreeBSD.org> |
Catch up with HEAD (r280229-r284686).
|
| #
76aeda8a |
| 20-Jun-2015 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r284188 through r284643.
|
| #
2fbd60ec |
| 20-Jun-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Merge from head @274131
|
| #
d089f9b9 |
| 17-Jun-2015 |
Michael Tuexen <tuexen@FreeBSD.org> |
Add FIB support for SCTP.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379
MFC after: 3 days
|
| #
8472c029 |
| 30-May-2015 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r283596 through r283770.
|
| #
37a48d40 |
| 28-May-2015 |
Glen Barber <gjb@FreeBSD.org> |
MFH: r282615-r283655
Sponsored by: The FreeBSD Foundation
|
| #
b7d130be |
| 28-May-2015 |
Michael Tuexen <tuexen@FreeBSD.org> |
Fix and cleanup the debug information. This has no user-visible changes.
Thanks to Irene Ruengeler for proving a patch.
MFC after: 3 days
|
| #
98e0ffae |
| 27-May-2015 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge sync of head
|
| #
51dd214c |
| 19-Jan-2015 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead @ r277403
|
| #
d899be7d |
| 19-Jan-2015 |
Glen Barber <gjb@FreeBSD.org> |
Reintegrate head: r274132-r277384
Sponsored by: The FreeBSD Foundation
|
| #
8f0ea33f |
| 13-Jan-2015 |
Glen Barber <gjb@FreeBSD.org> |
Reintegrate head revisions r273096-r277147
Sponsored by: The FreeBSD Foundation
|
| #
4be807c4 |
| 10-Jan-2015 |
Michael Tuexen <tuexen@FreeBSD.org> |
Minimize the usage of SCTP_BUF_IS_EXTENDED.
This should help Robert...
|
| #
afbe8aa4 |
| 18-Dec-2014 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead @ r275911 (also, sort out MK_* flags in BMAKE, etc on this branch)
|
| #
e65720e1 |
| 18-Dec-2014 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r275759 through r275911.
|