Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 2c26785, b03de8b and a3c3ef6 from usrsctp. #27492

Merged
merged 2 commits into from
Jan 26, 2021
Merged

chore: cherry-pick 2c26785, b03de8b and a3c3ef6 from usrsctp. #27492

merged 2 commits into from
Jan 26, 2021

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Jan 26, 2021

====
Author: Michael Tuexen tuexen@fh-muenster.de
Date: Mon Dec 14 00:57:51 2020 +0100

Cherry picking: Harden the handling of outgoing streams in case of an restart or INIT collision.

This avouds an out-of-bounce access in case the peer can
break the cookie signature. Thanks to Felix Wilhelm from Google for
reporting the issue.

Patch-Filename: cherry_picking_harden_the_handling_of_outgoing_streams.patch

====
commit ea25ba5043df708106cbc45e0a33ec3b74eaa767
Author: Michael Tuexen tuexen@fh-muenster.de
Date: Sat Dec 12 23:30:59 2020 +0100

Cherry picking: Clean up more resouces of an existing SCTP association in case of a restart.

This fixes a use-after-free scenario, which was reported by Felix
Wilhelm from Google in case a peer is able to modify the cookie.
However, this can also be triggered by an assciation restart under
some specific conditions.

Patch-Filename: cherry_picking_clean_up_more_resources_of_an_existing_sctp.patch

====
commit 41fd9ce4fc62eb41cb4be826abf17c93e8a78fdb
Author: Michael Tuexen tuexen@fh-muenster.de
Date: Tue Sep 29 11:38:11 2020 +0200

Cherry picking: Improve the input validation and processing of cookies.

This avoids setting the association in an inconsistent
state, which could result in a use-after-free situation.
The issue can be triggered by a malicious peer, if the peer
can modify the cookie without the local endpoint recognizing it.

Thanks to Ned Williamson for reporting the issue.

Patch-Filename: cherry_picking_improve_the_input_validation_and_processing_of.patch

Release Notes

Notes: backported the fix to CVE-2020-16044.

@ppontes ppontes added semver/patch backwards-compatible bug fixes 10-x-y backport-check-skip Skip trop's backport validity checking labels Jan 26, 2021
@ppontes ppontes requested a review from a team as a code owner January 26, 2021 14:56
@ppontes ppontes force-pushed the cherry-pick/10-x-y/usrsctp/2c26785-b03de8b-a3c3ef6 branch from bc166bc to bda1532 Compare January 26, 2021 15:38
ckerr
ckerr approved these changes Jan 26, 2021
View reviewed changes
Copy link
Member

@ckerr ckerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM

@codebytere codebytere merged commit cef56e1 into 10-x-y Jan 26, 2021
@release-clerk
Copy link

release-clerk bot commented Jan 26, 2021

Release Notes Persisted

backported the fix to CVE-2020-16044.

@codebytere codebytere deleted the cherry-pick/10-x-y/usrsctp/2c26785-b03de8b-a3c3ef6 branch January 26, 2021 22:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckerr ckerr ckerr approved these changes

Assignees
No one assigned
Labels
10-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ppontes @ckerr @codebytere @electron-bot