Wrong length calculation for sctp_getladdrs()/sctp_getpaddrs()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lksctp-tools (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
lksctp-
memmove(getaddrs, getaddrs + 1, len - sizeof(struct sctp_getaddrs));
uses a wrong length. It must be "len" instead of "len - sizeof(...)". This bug results in wrong address(es) returned in the list. This can lead to security problems when the last address is used e.g. for identifying a node. If the only address is garbled, this may lead to an application denial of service. For example, Reliable Server Pooling (RSerPool) server applications use sctp_getladdrs() to find out the local host addresses of a server to be registered into a pool. If this address is invalid, no registration is possible => server will not be usable for clients.
Corrected call must be:
memmove(getaddrs, getaddrs + 1, len);
This bug is fixed in version 1.0.8 (at lksctp.
Changed in lksctp-tools: | |
status: | New → Confirmed |
Changed in lksctp-tools (Ubuntu): | |
importance: | Undecided → Medium |
Changed in lksctp-tools (Ubuntu): | |
status: | Confirmed → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res