oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] CVE-2010-4526 kernel: sctp: a race

[oss-security] CVE-2010-4526 kernel: sctp: a race between ICMP protocol unreachable and connect()

From: Eugene Teo <eugene_at_nospam>
Date: Tue Jan 04 2011 - 06:33:04 GMT
To: oss-security@lists.openwall.com

http://git.kernel.org/linus/50b5d6ad63821cea324a5a7a19854d4de1a0a819
https://bugzilla.redhat.com/CVE-2010-4526

commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819
Author: Vlad Yasevich <vladislav.yasevich@hp.com>
Date: Thu May 6 00:56:07 2010 -0700

sctp: Fix a race between ICMP protocol unreachable and connect()

     ICMP protocol unreachable handling completely disregarded
     the fact that the user may have locked the socket. It proceeded
     to destroy the association, even though the user may have
     held the lock and had a ref on the association.
[...]
     This was because the sctp_wait_for_connect() would aqcure the socket
     lock and then proceed to release the last reference count on the
     association, thus cause the fully destruction path to finish freeing
     the socket.

This affects kernels v2.6.11-rc2 and above.

Thanks, Eugene