[Glibc-bsd-commits] r5469 - in trunk/kfreebsd-10/debian: . patches

Sun May 4 13:09:52 UTC 2014

Author: rmh
Date: 2014-05-04 13:09:52 +0000 (Sun, 04 May 2014)
New Revision: 5469

Added:
   trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch
Modified:
   trunk/kfreebsd-10/debian/changelog
   trunk/kfreebsd-10/debian/patches/series
Log:
  * Fix for SA-14:08 / CVE-2014-3000 (TCP reassembly vulnerability).
    (Closes: #746949)

Modified: trunk/kfreebsd-10/debian/changelog
===================================================================

--- trunk/kfreebsd-10/debian/changelog	2014-05-04 12:10:53 UTC (rev 5468)
+++ trunk/kfreebsd-10/debian/changelog	2014-05-04 13:09:52 UTC (rev 5469)
@@ -1,10 +1,15 @@
-kfreebsd-10 (10.0-5) UNRELEASED; urgency=medium
+kfreebsd-10 (10.0-5) unstable; urgency=high
 
+  [ Christoph Egger ]
   * Increase firmware size limit to 1MiB. This should be enough for at
     least iwlwifi firmware to safely load
 
- -- Christoph Egger <christoph at debian.org>  Fri, 18 Apr 2014 15:51:39 +0200
+  [ Robert Millan ]
+  * Fix for SA-14:08 / CVE-2014-3000 (TCP reassembly vulnerability).
+    (Closes: #746949)
 
+ -- Robert Millan <rmh at debian.org>  Sun, 04 May 2014 12:00:30 +0200
+
 kfreebsd-10 (10.0-4) unstable; urgency=low
 
   [ Steven Chamberlain ]

Added: trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch	                        (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch	2014-05-04 13:09:52 UTC (rev 5469)
@@ -0,0 +1,30 @@
+--- a/sys/netinet/tcp_reass.c
++++ b/sys/netinet/tcp_reass.c
+@@ -205,7 +205,7 @@
+ 	 * Investigate why and re-evaluate the below limit after the behaviour
+ 	 * is understood.
+ 	 */
+-	if (th->th_seq != tp->rcv_nxt &&
++	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ 		V_tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -228,7 +228,7 @@
+ 	 */
+ 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+-		if (th->th_seq != tp->rcv_nxt) {
++		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+ 			m_freem(m);
+ 			*tlenp = 0;
+@@ -276,7 +276,8 @@
+ 				TCPSTAT_INC(tcps_rcvduppack);
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+-				uma_zfree(V_tcp_reass_zone, te);
++				if (te != &tqs)
++					uma_zfree(V_tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data

Modified: trunk/kfreebsd-10/debian/patches/series
===================================================================
--- trunk/kfreebsd-10/debian/patches/series	2014-05-04 12:10:53 UTC (rev 5468)
+++ trunk/kfreebsd-10/debian/patches/series	2014-05-04 13:09:52 UTC (rev 5469)
@@ -4,6 +4,7 @@
 radeonkms_abort_nofw.diff
 newcons.diff
 SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
 
 # Patches that are in good shape for merging upstream
 mount_remount.diff


