CVE-2016-9555

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.

Weakness

The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Name	Vendor	Start Version	End Version
Linux_kernel	Linux	3.2 (including)	3.2.85 (excluding)
Linux_kernel	Linux	3.3 (including)	3.10.105 (excluding)
Linux_kernel	Linux	3.11 (including)	3.12.68 (excluding)
Linux_kernel	Linux	3.13 (including)	3.16.40 (excluding)
Linux_kernel	Linux	3.17 (including)	3.18.49 (excluding)
Linux_kernel	Linux	3.19 (including)	4.4.32 (excluding)
Linux_kernel	Linux	4.5.0 (including)	4.8.8 (excluding)
Red Hat Enterprise Linux 6	RedHat	kernel-0:2.6.32-642.15.1.el6	*
Red Hat Enterprise Linux 7	RedHat	kernel-rt-0:3.10.0-514.6.1.rt56.429.el7	*
Red Hat Enterprise Linux 7	RedHat	kernel-0:3.10.0-514.6.1.el7	*
Red Hat Enterprise MRG 2	RedHat	kernel-rt-1:3.10.0-514.rt56.210.el6rt	*
Linux	Ubuntu	esm-infra-legacy/trusty	*
Linux	Ubuntu	esm-infra/xenial	*
Linux	Ubuntu	precise	*
Linux	Ubuntu	trusty	*
Linux	Ubuntu	trusty/esm	*
Linux	Ubuntu	upstream	*
Linux	Ubuntu	vivid/ubuntu-core	*
Linux	Ubuntu	xenial	*
Linux	Ubuntu	yakkety	*
Linux-armadaxp	Ubuntu	precise	*
Linux-armadaxp	Ubuntu	upstream	*
Linux-aws	Ubuntu	upstream	*
Linux-aws-5.15	Ubuntu	upstream	*
Linux-aws-5.4	Ubuntu	upstream	*
Linux-aws-6.14	Ubuntu	upstream	*
Linux-aws-6.8	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	trusty	*
Linux-aws-fips	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	xenial	*
Linux-aws-hwe	Ubuntu	upstream	*
Linux-azure	Ubuntu	bionic	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure	Ubuntu	upstream	*
Linux-azure-4.15	Ubuntu	upstream	*
Linux-azure-5.15	Ubuntu	upstream	*
Linux-azure-5.4	Ubuntu	upstream	*
Linux-azure-6.11	Ubuntu	noble	*
Linux-azure-6.11	Ubuntu	upstream	*
Linux-azure-6.8	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	esm-infra/focal	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde	Ubuntu	upstream	*
Linux-azure-fde-5.15	Ubuntu	esm-infra/focal	*
Linux-azure-fde-5.15	Ubuntu	focal	*
Linux-azure-fde-5.15	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	trusty	*
Linux-azure-fips	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	xenial	*
Linux-azure-nvidia	Ubuntu	upstream	*
Linux-bluefield	Ubuntu	upstream	*
Linux-fips	Ubuntu	upstream	*
Linux-flo	Ubuntu	trusty	*
Linux-flo	Ubuntu	upstream	*
Linux-flo	Ubuntu	vivid/stable-phone-overlay	*
Linux-flo	Ubuntu	xenial	*
Linux-flo	Ubuntu	yakkety	*
Linux-gcp	Ubuntu	bionic	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp	Ubuntu	upstream	*
Linux-gcp-4.15	Ubuntu	upstream	*
Linux-gcp-5.15	Ubuntu	upstream	*
Linux-gcp-5.4	Ubuntu	upstream	*
Linux-gcp-6.11	Ubuntu	noble	*
Linux-gcp-6.11	Ubuntu	upstream	*
Linux-gcp-6.14	Ubuntu	upstream	*
Linux-gcp-6.8	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	trusty	*
Linux-gcp-fips	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	xenial	*
Linux-gke	Ubuntu	esm-infra/focal	*
Linux-gke	Ubuntu	focal	*
Linux-gke	Ubuntu	upstream	*
Linux-gkeop	Ubuntu	esm-infra/focal	*
Linux-gkeop	Ubuntu	focal	*
Linux-gkeop	Ubuntu	upstream	*
Linux-goldfish	Ubuntu	trusty	*
Linux-goldfish	Ubuntu	upstream	*
Linux-goldfish	Ubuntu	xenial	*
Linux-goldfish	Ubuntu	yakkety	*
Linux-goldfish	Ubuntu	zesty	*
Linux-grouper	Ubuntu	trusty	*
Linux-grouper	Ubuntu	upstream	*
Linux-hwe	Ubuntu	bionic	*
Linux-hwe	Ubuntu	esm-infra/bionic	*
Linux-hwe	Ubuntu	upstream	*
Linux-hwe-5.15	Ubuntu	upstream	*
Linux-hwe-5.4	Ubuntu	upstream	*
Linux-hwe-6.11	Ubuntu	noble	*
Linux-hwe-6.11	Ubuntu	upstream	*
Linux-hwe-6.14	Ubuntu	upstream	*
Linux-hwe-6.8	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-ibm	Ubuntu	upstream	*
Linux-ibm-5.15	Ubuntu	upstream	*
Linux-ibm-5.4	Ubuntu	upstream	*
Linux-ibm-6.8	Ubuntu	upstream	*
Linux-intel	Ubuntu	upstream	*
Linux-intel-iot-realtime	Ubuntu	jammy	*
Linux-intel-iot-realtime	Ubuntu	upstream	*
Linux-intel-iotg	Ubuntu	upstream	*
Linux-intel-iotg-5.15	Ubuntu	upstream	*
Linux-iot	Ubuntu	upstream	*
Linux-kvm	Ubuntu	upstream	*
Linux-linaro-omap	Ubuntu	precise	*
Linux-linaro-omap	Ubuntu	upstream	*
Linux-linaro-shared	Ubuntu	precise	*
Linux-linaro-shared	Ubuntu	upstream	*
Linux-linaro-vexpress	Ubuntu	precise	*
Linux-linaro-vexpress	Ubuntu	upstream	*
Linux-lowlatency	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.15	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.11	Ubuntu	noble	*
Linux-lowlatency-hwe-6.11	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.8	Ubuntu	upstream	*
Linux-lts-quantal	Ubuntu	precise	*
Linux-lts-quantal	Ubuntu	precise/esm	*
Linux-lts-quantal	Ubuntu	upstream	*
Linux-lts-raring	Ubuntu	precise	*
Linux-lts-raring	Ubuntu	precise/esm	*
Linux-lts-raring	Ubuntu	upstream	*
Linux-lts-saucy	Ubuntu	precise	*
Linux-lts-saucy	Ubuntu	precise/esm	*
Linux-lts-saucy	Ubuntu	upstream	*
Linux-lts-trusty	Ubuntu	precise	*
Linux-lts-trusty	Ubuntu	upstream	*
Linux-lts-utopic	Ubuntu	trusty	*
Linux-lts-utopic	Ubuntu	upstream	*
Linux-lts-vivid	Ubuntu	trusty	*
Linux-lts-vivid	Ubuntu	upstream	*
Linux-lts-wily	Ubuntu	trusty	*
Linux-lts-wily	Ubuntu	upstream	*
Linux-lts-xenial	Ubuntu	trusty	*
Linux-lts-xenial	Ubuntu	upstream	*
Linux-maguro	Ubuntu	trusty	*
Linux-maguro	Ubuntu	upstream	*
Linux-mako	Ubuntu	trusty	*
Linux-mako	Ubuntu	upstream	*
Linux-mako	Ubuntu	vivid/stable-phone-overlay	*
Linux-mako	Ubuntu	xenial	*
Linux-mako	Ubuntu	yakkety	*
Linux-manta	Ubuntu	trusty	*
Linux-manta	Ubuntu	upstream	*
Linux-nvidia	Ubuntu	upstream	*
Linux-nvidia-6.11	Ubuntu	upstream	*
Linux-nvidia-6.8	Ubuntu	upstream	*
Linux-nvidia-lowlatency	Ubuntu	upstream	*
Linux-nvidia-tegra	Ubuntu	upstream	*
Linux-nvidia-tegra-5.15	Ubuntu	upstream	*
Linux-nvidia-tegra-igx	Ubuntu	upstream	*
Linux-oem-6.11	Ubuntu	upstream	*
Linux-oem-6.14	Ubuntu	upstream	*
Linux-oem-6.8	Ubuntu	upstream	*
Linux-oracle	Ubuntu	upstream	*
Linux-oracle-5.15	Ubuntu	upstream	*
Linux-oracle-5.4	Ubuntu	upstream	*
Linux-oracle-6.14	Ubuntu	upstream	*
Linux-oracle-6.8	Ubuntu	upstream	*
Linux-qcm-msm	Ubuntu	precise	*
Linux-qcm-msm	Ubuntu	upstream	*
Linux-raspi	Ubuntu	upstream	*
Linux-raspi-5.4	Ubuntu	upstream	*
Linux-raspi-realtime	Ubuntu	noble	*
Linux-raspi-realtime	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	bionic	*
Linux-raspi2	Ubuntu	esm-infra/focal	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	vivid/ubuntu-core	*
Linux-raspi2	Ubuntu	xenial	*
Linux-raspi2	Ubuntu	yakkety	*
Linux-realtime	Ubuntu	jammy	*
Linux-realtime	Ubuntu	noble	*
Linux-realtime	Ubuntu	upstream	*
Linux-riscv	Ubuntu	esm-infra/focal	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv	Ubuntu	noble	*
Linux-riscv	Ubuntu	upstream	*
Linux-riscv-5.15	Ubuntu	upstream	*
Linux-riscv-6.14	Ubuntu	upstream	*
Linux-riscv-6.8	Ubuntu	upstream	*
Linux-snapdragon	Ubuntu	bionic	*
Linux-snapdragon	Ubuntu	upstream	*
Linux-snapdragon	Ubuntu	xenial	*
Linux-snapdragon	Ubuntu	yakkety	*
Linux-ti-omap4	Ubuntu	precise	*
Linux-ti-omap4	Ubuntu	upstream	*
Linux-xilinx-zynqmp	Ubuntu	upstream	*

Potential Mitigations

Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

https://cwe.mitre.org/data/definitions/540.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-9555
CWE	https://cwe.mitre.org/data/definitions/125.html

Out-of-bounds Read

Weakness

Affected Software

Potential Mitigations

References

CVE-2016-9555

Out-of-bounds Read

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References