[Glibc-bsd-commits] r5469 - in trunk/kfreebsd-10/debian: . patches
rmh at alioth.debian.org
rmh at alioth.debian.org
Sun May 4 13:09:52 UTC 2014
Author: rmh
Date: 2014-05-04 13:09:52 +0000 (Sun, 04 May 2014)
New Revision: 5469
Added:
trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch
Modified:
trunk/kfreebsd-10/debian/changelog
trunk/kfreebsd-10/debian/patches/series
Log:
* Fix for SA-14:08 / CVE-2014-3000 (TCP reassembly vulnerability).
(Closes: #746949)
Modified: trunk/kfreebsd-10/debian/changelog
===================================================================
--- trunk/kfreebsd-10/debian/changelog 2014-05-04 12:10:53 UTC (rev 5468)
+++ trunk/kfreebsd-10/debian/changelog 2014-05-04 13:09:52 UTC (rev 5469)
@@ -1,10 +1,15 @@
-kfreebsd-10 (10.0-5) UNRELEASED; urgency=medium
+kfreebsd-10 (10.0-5) unstable; urgency=high
+ [ Christoph Egger ]
* Increase firmware size limit to 1MiB. This should be enough for at
least iwlwifi firmware to safely load
- -- Christoph Egger <christoph at debian.org> Fri, 18 Apr 2014 15:51:39 +0200
+ [ Robert Millan ]
+ * Fix for SA-14:08 / CVE-2014-3000 (TCP reassembly vulnerability).
+ (Closes: #746949)
+ -- Robert Millan <rmh at debian.org> Sun, 04 May 2014 12:00:30 +0200
+
kfreebsd-10 (10.0-4) unstable; urgency=low
[ Steven Chamberlain ]
Added: trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-14_08.tcp.patch 2014-05-04 13:09:52 UTC (rev 5469)
@@ -0,0 +1,30 @@
+--- a/sys/netinet/tcp_reass.c
++++ b/sys/netinet/tcp_reass.c
+@@ -205,7 +205,7 @@
+ * Investigate why and re-evaluate the below limit after the behaviour
+ * is understood.
+ */
+- if (th->th_seq != tp->rcv_nxt &&
++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ V_tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -228,7 +228,7 @@
+ */
+ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+- if (th->th_seq != tp->rcv_nxt) {
++ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -276,7 +276,8 @@
+ TCPSTAT_INC(tcps_rcvduppack);
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+- uma_zfree(V_tcp_reass_zone, te);
++ if (te != &tqs)
++ uma_zfree(V_tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
Modified: trunk/kfreebsd-10/debian/patches/series
===================================================================
--- trunk/kfreebsd-10/debian/patches/series 2014-05-04 12:10:53 UTC (rev 5468)
+++ trunk/kfreebsd-10/debian/patches/series 2014-05-04 13:09:52 UTC (rev 5469)
@@ -4,6 +4,7 @@
radeonkms_abort_nofw.diff
newcons.diff
SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
# Patches that are in good shape for merging upstream
mount_remount.diff
More information about the Glibc-bsd-commits
mailing list