Date: Tue, 4 Jan 2011 15:31:31 -0800 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE-2010-4526 kernel: sctp: a race between ICMP protocol unreachable and connect() On Tue, Jan 04, 2011 at 02:33:04PM +0800, Eugene Teo wrote: > http://git.kernel.org/linus/50b5d6ad63821cea324a5a7a19854d4de1a0a819 > https://bugzilla.redhat.com/CVE-2010-4526 > > commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819 > Author: Vlad Yasevich <vladislav.yasevich@...com> > Date: Thu May 6 00:56:07 2010 -0700 > > sctp: Fix a race between ICMP protocol unreachable and connect() > > ICMP protocol unreachable handling completely disregarded > the fact that the user may have locked the socket. It proceeded > to destroy the association, even though the user may have > held the lock and had a ref on the association. > [...] > This was because the sctp_wait_for_connect() would aqcure the socket > lock and then proceed to release the last reference count on the > association, thus cause the fully destruction path to finish freeing > the socket. > > This affects kernels v2.6.11-rc2 and above. Not all, it was fixed in the 2.6.34 kernel, which was released back in May of 2010. thanks, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ