Add advisories and patches for SA-15:02.kmem and SA-15:03.sctp.

svn path=/head/; revision=46235
2015-01-27 19:53:31 +00:00 · 2015-01-27 19:53:31 +00:00 · 4865711fb9 · 2020-12-08 03:00:23 +00:00
commit 4865711fb9
parent d78ba7735b
7 changed files with 491 additions and 0 deletions
--- a/share/security/patches/SA-15:02/sctp.patch
+++ b/share/security/patches/SA-15:02/sctp.patch
@ -0,0 +1,45 @@
+Index: sys/netinet/sctp_usrreq.c
+===================================================================
+--- sys/netinet/sctp_usrreq.c	(revision 277788)
+++ sys/netinet/sctp_usrreq.c	(working copy)
+@@ -1863,8 +1863,9 @@ flags_out:
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    &av->stream_value) < 0) {
+				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
+				    (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+				    &av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				} else {
+@@ -4032,8 +4033,9 @@ sctp_setopt(struct socket *so, int optname, void *
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    av->stream_value) < 0) {
+				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
+				    (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+				    av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				}
+@@ -4043,10 +4045,12 @@ sctp_setopt(struct socket *so, int optname, void *
+ 					SCTP_INP_RLOCK(inp);
+ 					LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
+ 						SCTP_TCB_LOCK(stcb);
+-						stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+-						    &stcb->asoc,
+-						    &stcb->asoc.strmout[av->stream_id],
+-						    av->stream_value);
+						if (av->stream_id < stcb->asoc.streamoutcnt) {
+							stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+							    &stcb->asoc,
+							    &stcb->asoc.strmout[av->stream_id],
+							    av->stream_value);
+						}
+ 						SCTP_TCB_UNLOCK(stcb);
+ 					}
+ 					SCTP_INP_RUNLOCK(inp);