Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jan 2015 19:53:32 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r46235 - in head/share: security/advisories security/patches/SA-15:02 security/patches/SA-15:03 xml
Message-ID:  <201501271953.t0RJrWL0024785@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Tue Jan 27 19:53:31 2015
New Revision: 46235
URL: https://svnweb.freebsd.org/changeset/doc/46235

Log:
  Add advisories and patches for SA-15:02.kmem and SA-15:03.sctp.

Added:
  head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc   (contents, props changed)
  head/share/security/patches/SA-15:02/
  head/share/security/patches/SA-15:02/sctp.patch   (contents, props changed)
  head/share/security/patches/SA-15:02/sctp.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:03/
  head/share/security/patches/SA-15:03/sctp.patch   (contents, props changed)
  head/share/security/patches/SA-15:03/sctp.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:02.kmem.asc	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:02.kmem                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          SCTP SCTP_SS_VALUE kernel memory corruption and disclosure
+
+Category:       core
+Module:         sctp
+Announced:      2015-01-27
+Credits:        Clement LECIGNE from Google Security Team and
+                Francisco Falcon from Core Security Technologies
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE)
+                2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5)
+                2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17)
+                2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE)
+                2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9)
+                2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE)
+                2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23)
+CVE Name:       CVE-2014-8612
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+SCTP protocol provides reliable, flow-controlled, two-way transmission
+of data.  It is a message oriented protocol and can support the SOCK_STREAM
+and SOCK_SEQPACKET abstractions.
+
+SCTP allows the user to choose between multiple scheduling algorithms to
+optimize the sending behavior of SCTP in scenarios with different
+requirements.
+
+II.  Problem Description
+
+Due to insufficient validation of the SCTP stream ID, which serves as an array
+index, a local unprivileged attacker can read or write 16-bits of kernel
+memory.
+
+III. Impact
+
+An unprivileged process can read or modify 16-bits of memory which
+belongs to the kernel.  This smay lead to exposure of sensitive
+information or allow privilege escalation.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc
+# gpg --verify sctp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r277807
+releng/8.4/                                                       r277808
+stable/9/                                                         r277807
+releng/9.3/                                                       r277808
+stable/10/                                                        r277807
+releng/10.0/                                                      r277808
+releng/10.1/                                                      r277808
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+We would like to acknowledge Clement LECIGNE from Google Security Team and
+Francisco Falcon from Core Security Technologies who discovered the issue
+independently and reported to the FreeBSD Security Team.
+
+<URL:http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8612>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc>;
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJUx+qPAAoJEO1n7NZdz2rndPwQAJYuUZhkBqt6Lj0Wnuu220QL
+OwMQAVBDggfNMJj5GCMRYqniARGg53UpzBjbKyen9N7tQtjgF6ll9EcWQhUdQSSl
+07iCLGkn7kAu5jRO7+S/fJLXaUBfo+KfrUakHBdrWGKD0VVp/DDMbjbzZWl8Yw0S
+7g0tqSmNcR1uUbAAsSXUfN9N/8OZzkqCiDvmVcFtalw1CjFyl6XbYXxNS+/j7LrU
+YQBJdz9F/X/oPe19VQ36olZWzTdlSLwa/ylwNW7O6K5NdoCq73Co4IDL0gkAgtdQ
+s4A7h4UwEoYleRRX+g9Rbeq2tz9FwfIwSferFRF5/1thc0cVJ2e/oDq9lmzyepwa
+rbH8jy/TMtSKHlali8I3w6KYfqRFs6whS9Bud1b0SgrqqZizsO64BbvSzkELxHJl
+PMUPHHCh3w0CXnRcaxC+rY/kazPZeRzebMaxQLAV0KTEVp0aSGw7FBtEE+ldrHUd
+rp1bLESjTjtagr1K1UsCKKZr/t9RSHSZ1I6vfxBPUsUu7oUgd+aOmEpiyYKxna0y
+vS5ECCrJG4k9fsQ1emyB5NhROYCXdq2CavfWWOOi3LoUhVvh34N27HVZlqv2m3Y9
+sM20xOB3dSx3ufsv19nAclVpL76Pu7fD/MNe+lhUk1KKgqx0L7vdiJfMIrafLYsR
+V2Rre46fapln8T+wvhQP
+=o9yw
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:03.sctp.asc	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:03.sctp                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          SCTP stream reset vulnerability
+
+Category:       core
+Module:         sctp
+Announced:      2015-01-27
+Credits:        Gerasimos Dimitriadis
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE)
+                2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5)
+                2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17)
+                2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE)
+                2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9)
+                2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE)
+                2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23)
+CVE Name:       CVE-2014-8613
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+SCTP protocol provides reliable, flow-controlled, two-way transmission
+of data.  It is a message oriented protocol and can support the SOCK_STREAM
+and SOCK_SEQPACKET abstractions.
+
+II.  Problem Description
+
+The input validation of received SCTP RE_CONFIG chunks is insufficient,
+and can result in a NULL pointer deference later.
+
+III. Impact
+
+A remote attacker who can send a malformed SCTP packet to a FreeBSD system
+that serves SCTP can cause a kernel panic, resulting in a Denial of
+Service.
+
+IV.  Workaround
+
+On FreeBSD 10.1 or later systems, the system administrator can set
+net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG
+chunks.  This workaround is not available on earlier FreeBSD releases,
+but systems that do not serve SCTP connections are not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc
+# gpg --verify sctp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r277807
+releng/8.4/                                                       r277808
+stable/9/                                                         r277807
+releng/9.3/                                                       r277808
+stable/10/                                                        r277807
+releng/10.0/                                                      r277808
+releng/10.1/                                                      r277808
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8613>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:03.sctp.asc>;
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub
+DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6
+eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6
+sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj
+QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu
+BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0
+2mZYLoCrSHfBongLMohs4DQ8CCnH3iEoUBRbG9HGwlAh4s9CAre87oIdHHFWRSsg
+oIHxNDG+lk+yNJuOKfjDT+poyuYw7TlBfYN+ifO5UHPOEIH430FWF3B3P2oH4I/M
+7VQRClaxaNiPfAJxa11IwHKWM12yrrM7483AuPqdd1r9OUnx33y1jPY0ByemXv9d
+LE8jJXs0cdR7zCJuV9R8Uif9xkdGLTj9emsqjaS1KxSJrSzPJaah4nkWq8BRmMXK
+3xOxlIM/cGJLU+/cliDy3CqHipU4pt+S4RuAB41xx2k5g9YiAMH178xrfOgrklSH
+xKfAM/gz4YqESK5QPjqO
+=859G
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:02/sctp.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:02/sctp.patch	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,45 @@
+Index: sys/netinet/sctp_usrreq.c
+===================================================================
+--- sys/netinet/sctp_usrreq.c	(revision 277788)
++++ sys/netinet/sctp_usrreq.c	(working copy)
+@@ -1863,8 +1863,9 @@ flags_out:
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    &av->stream_value) < 0) {
++				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++				    (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++				    &av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				} else {
+@@ -4032,8 +4033,9 @@ sctp_setopt(struct socket *so, int optname, void *
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    av->stream_value) < 0) {
++				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++				    (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++				    av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				}
+@@ -4043,10 +4045,12 @@ sctp_setopt(struct socket *so, int optname, void *
+ 					SCTP_INP_RLOCK(inp);
+ 					LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
+ 						SCTP_TCB_LOCK(stcb);
+-						stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+-						    &stcb->asoc,
+-						    &stcb->asoc.strmout[av->stream_id],
+-						    av->stream_value);
++						if (av->stream_id < stcb->asoc.streamoutcnt) {
++							stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
++							    &stcb->asoc,
++							    &stcb->asoc.strmout[av->stream_id],
++							    av->stream_value);
++						}
+ 						SCTP_TCB_UNLOCK(stcb);
+ 					}
+ 					SCTP_INP_RUNLOCK(inp);

Added: head/share/security/patches/SA-15:02/sctp.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:02/sctp.patch.asc	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rn0EgP/0JAL3PGZvxezFy8oCtccfmK
+8puU1nlEVq4f0CETGqH1x1bd/P5kMFtC6JAaGbXg4xk2BAi5PLLUf4jPEXu9V8Ok
+a2IJ3uuVUAEmrccdyDq4N9ahrnODGNf0nsR6QhcZYJGWg5GoMeHQbMTIVLkF7yHz
+5NztDnQO6YuWHYkOFw92zMxNxijH5rUBRbRPfgBxn+6YWL8aabWwrShNmWSIZykb
+5NDVYwjl0WozEh0NNdXHwOi+14hUIWCAaNmxHBgkxursQI8G0/js8xLbf/ehVU8d
+MuRtVRB1jWCjEIo/Uat6A5Uy6wwCZsTeIFU7RwVYPmF2LtMxYdPP8V6NINErSn/d
+wcaRawS9pmbKHmRR3Xk4hnuLpbewu0qB+TS/z1UNCaoSsv//MuSFt4NTMafMMnee
+PuwZXPtrjIpCLLDpWZ9o79eX3v3VnmMx2P3Cu+UADoDs/nhWMC0liJ3AlGQBFwso
+Z2lXiaujjsqb4JY2VonySuRxkByO/AbJqc9BP+cN2H8EHgzZLUs+ACcmE9O8y/Th
+gIWvszlu2gWVyhONIxUD39DGfTCfhQLgMWSaVtQOBL0BEltRJGjYn/RrbZjffGeo
+RHG5Gp2212hclgES/mIbfknECixa8VK0u/+AlWmGW5Oahux/pDMnxuRqD9DkfEDS
+BSWdWxJZ4q5YDH7GAvyP
+=ZyyZ
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:03/sctp.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:03/sctp.patch	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,119 @@
+Index: sys/netinet/sctp_input.c
+===================================================================
+--- sys/netinet/sctp_input.c	(revision 277788)
++++ sys/netinet/sctp_input.c	(working copy)
+@@ -3649,6 +3649,9 @@ sctp_handle_stream_reset_response(struct sctp_tcb
+ 					/* huh ? */
+ 					return (0);
+ 				}
++				if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
++					return (0);
++				}
+ 				if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
+ 					resp = (struct sctp_stream_reset_response_tsn *)respin;
+ 					asoc->stream_reset_outstanding--;
+@@ -4037,7 +4040,7 @@ __attribute__((noinline))
+ 	    sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
+         struct sctp_chunkhdr *ch_req)
+ {
+-	int chk_length, param_len, ptype;
++	uint16_t remaining_length, param_len, ptype;
+ 	struct sctp_paramhdr pstore;
+ 	uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
+ 	uint32_t seq = 0;
+@@ -4050,7 +4053,7 @@ __attribute__((noinline))
+ 	int num_param = 0;
+ 
+ 	/* now it may be a reset or a reset-response */
+-	chk_length = ntohs(ch_req->chunk_length);
++	remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
+ 
+ 	/* setup for adding the response */
+ 	sctp_alloc_a_chunk(stcb, chk);
+@@ -4088,20 +4091,27 @@ strres_nochunk:
+ 	ch->chunk_length = htons(chk->send_size);
+ 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
+ 	offset += sizeof(struct sctp_chunkhdr);
+-	while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
++	while (remaining_length >= sizeof(struct sctp_paramhdr)) {
+ 		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
+-		if (ph == NULL)
++		if (ph == NULL) {
++			/* TSNH */
+ 			break;
++		}
+ 		param_len = ntohs(ph->param_length);
+-		if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
+-			/* bad param */
++		if ((param_len > remaining_length) ||
++		    (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
++			/* bad parameter length */
+ 			break;
+ 		}
+-		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
++		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
+ 		    (uint8_t *) & cstore);
++		if (ph == NULL) {
++			/* TSNH */
++			break;
++		}
+ 		ptype = ntohs(ph->param_type);
+ 		num_param++;
+-		if (param_len > (int)sizeof(cstore)) {
++		if (param_len > sizeof(cstore)) {
+ 			trunc = 1;
+ 		} else {
+ 			trunc = 0;
+@@ -4113,6 +4123,9 @@ strres_nochunk:
+ 		if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
+ 			struct sctp_stream_reset_out_request *req_out;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
++				break;
++			}
+ 			req_out = (struct sctp_stream_reset_out_request *)ph;
+ 			num_req++;
+ 			if (stcb->asoc.stream_reset_outstanding) {
+@@ -4126,6 +4139,9 @@ strres_nochunk:
+ 		} else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
+ 			struct sctp_stream_reset_add_strm *str_add;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++				break;
++			}
+ 			str_add = (struct sctp_stream_reset_add_strm *)ph;
+ 			num_req++;
+ 			sctp_handle_str_reset_add_strm(stcb, chk, str_add);
+@@ -4132,6 +4148,9 @@ strres_nochunk:
+ 		} else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
+ 			struct sctp_stream_reset_add_strm *str_add;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++				break;
++			}
+ 			str_add = (struct sctp_stream_reset_add_strm *)ph;
+ 			num_req++;
+ 			sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
+@@ -4156,6 +4175,9 @@ strres_nochunk:
+ 			struct sctp_stream_reset_response *resp;
+ 			uint32_t result;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_response)) {
++				break;
++			}
+ 			resp = (struct sctp_stream_reset_response *)ph;
+ 			seq = ntohl(resp->response_seq);
+ 			result = ntohl(resp->result);
+@@ -4167,7 +4189,11 @@ strres_nochunk:
+ 			break;
+ 		}
+ 		offset += SCTP_SIZE32(param_len);
+-		chk_length -= SCTP_SIZE32(param_len);
++		if (remaining_length >= SCTP_SIZE32(param_len)) {
++			remaining_length -= SCTP_SIZE32(param_len);
++		} else {
++			remaining_length = 0;
++		}
+ 	}
+ 	if (num_req == 0) {
+ 		/* we have no response free the stuff */

Added: head/share/security/patches/SA-15:03/sctp.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:03/sctp.patch.asc	Tue Jan 27 19:53:31 2015	(r46235)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUx+qbAAoJEO1n7NZdz2rng3MP/3a6EgYQFrHJZ0f89jJh+tgC
+tnj7NSHGAYI4LjwqBMLngfwVw7lzqd46dE9VUc5E123RE7HOwYCkllebWKkQdMxa
+6NvCxmIT0jRcmMb2TWteS6Tp1DE7I2COJHBA4BLN0T+3/KwgvSEU3p1947uumlL1
+m7qh69thHqi5tbqLkBh6j5CVPZj/hM+wBX+GRHm4s6Bo/NsnVWS2iCscsiOYFylP
+IIYl8puXa8zv4EV/Jqco779BpJ71Bqr+zIcOq9uf8dcWAHrOTCYx85e4xNQ2sCmB
+KlA8kYqdFR4XdgSJC9UhMpq9V206+wjAUiJz1JvpEd2+IaEs1RyFDl3MUxQoWDHU
+cXS1Bg9/z/mP1PzC4XQxSgcqgjD3q94AoOLKIFLsdvqXZ4aQ8VXrWAm0hAC4DMLd
+e3t+Np0XXE3IpUEnp50GEqkrAKKkcbvUT40HFqS/v/jHE48X5ISd4vAjFPEd0ANV
+5a7IsrYiDDFOLltTuk2zrOfCfEj6QonVs4/SqTApcOsrCP6Jxy0OqmyKNy6bgps+
+vmzaQl0/I7d/JEclNpXFl8BdxWsXL354KhI83/JKftP33cjA5p9y4Yor9nG5EAFx
+8YpJ1MQtjVu2S0fyxhvCGSsaepob5R4Wzb3q5uRsGbU2RMwqXNbyOlLOaETD1FSC
+17CUlhlbHpMGss4B09S8
+=j7hV
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Tue Jan 27 06:38:29 2015	(r46234)
+++ head/share/xml/advisories.xml	Tue Jan 27 19:53:31 2015	(r46235)
@@ -11,6 +11,18 @@
       <name>1</name>
 
       <day>
+        <name>27</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:03.sctp</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-15:02.kmem</name>
+        </advisory>
+      </day>
+
+      <day>
         <name>14</name>
 
         <advisory>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501271953.t0RJrWL0024785>