r2001 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Wed, 15 Dec 2004 15:07:02 -0700
Author: dilinger-guest
Date: 2004-12-15 15:06:41 -0700 (Wed, 15 Dec 2004)
New Revision: 2001
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/igmp-src-list-fix.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/scm_send-dos-fix.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/igmp-src-list-fix.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/scm_send-dos-fix.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
* [SECURITY] scm_send local DoS fix (advisory:
http://www.isec.pl/vulnerabilities/isec-0019-scm.txt) (Andres Salomon).
* [SECURITY] igmp remotely exploitable bugfix
(http://www.isec.pl/vulnerabilities/isec-0018-igmp.txt) (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-15 22:06:41 UTC (rev 2001)
@@ -22,6 +22,12 @@
* Restore BLKRRPART semantics - breaks partitioning programms on empty disks
(Maximilian Attems).
+ * [SECURITY] scm_send local DoS fix (advisory:
+ http://www.isec.pl/vulnerabilities/isec-0019-scm.txt) (Andres Salomon).
+
+ * [SECURITY] igmp remotely exploitable bugfix
+ (http://www.isec.pl/vulnerabilities/isec-0018-igmp.txt) (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 00:13:41 -0700
kernel-source-2.6.8 (2.6.8-10) unstable; urgency=high
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/igmp-src-list-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/igmp-src-list-fix.dpatch 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/igmp-src-list-fix.dpatch 2004-12-15 22:06:41 UTC (rev 2001)
@@ -0,0 +1,122 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] IGMP source filter fixes
+## DP: Patch author: Chris Wright <chrisw@osdl.org>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/14 11:06:25-08:00 chrisw@osdl.org
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/igmp.c
+# 2004/12/14 11:06:01-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/mcast.c
+# 2004/12/14 11:06:01-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c 2004-12-15 13:52:41 -08:00
++++ b/net/ipv4/igmp.c 2004-12-15 13:52:41 -08:00
+@@ -1778,12 +1778,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -1825,9 +1825,9 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c 2004-12-15 13:52:41 -08:00
++++ b/net/ipv6/mcast.c 2004-12-15 13:52:41 -08:00
+@@ -391,12 +391,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group,
++ rv = memcmp(&psl->sl_addr[i], source,
+ sizeof(struct in6_addr));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -437,8 +437,8 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+- if (rv >= 0)
++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/scm_send-dos-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/scm_send-dos-fix.dpatch 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/scm_send-dos-fix.dpatch 2004-12-15 22:06:41 UTC (rev 2001)
@@ -0,0 +1,117 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] Fix CMSG validation checks wrt. signedness.
+## DP: Patch author: Herbert Xu <herbert@gondor.apana.org.au>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 12:49:21-08:00 herbert@gondor.apana.org.au
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# Noticed by Georgi Guninski.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/socket.h
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +4 -0
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/core/scm.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv4/ip_sockglue.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -4
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv6/datagram.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/sctp/socket.c
+# 2004/12/08 12:48:29-08:00 herbert@gondor.apana.org.au +1 -5
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+diff -Nru a/include/linux/socket.h b/include/linux/socket.h
+--- a/include/linux/socket.h 2004-12-15 13:50:50 -08:00
++++ b/include/linux/socket.h 2004-12-15 13:50:50 -08:00
+@@ -90,6 +90,10 @@
+ (struct cmsghdr *)(ctl) : \
+ (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++ (cmsg)->cmsg_len <= (unsigned long) \
++ ((mhdr)->msg_controllen - \
++ ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+
+ /*
+ * This mess will go away with glibc
+diff -Nru a/net/core/scm.c b/net/core/scm.c
+--- a/net/core/scm.c 2004-12-15 13:50:50 -08:00
++++ b/net/core/scm.c 2004-12-15 13:50:50 -08:00
+@@ -127,9 +127,7 @@
+ for too short ancillary data object at all! Oops.
+ OK, let's add it...
+ */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen)
++ if (!CMSG_OK(msg, cmsg))
+ goto error;
+
+ if (cmsg->cmsg_level != SOL_SOCKET)
+diff -Nru a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+--- a/net/ipv4/ip_sockglue.c 2004-12-15 13:50:50 -08:00
++++ b/net/ipv4/ip_sockglue.c 2004-12-15 13:50:50 -08:00
+@@ -146,11 +146,8 @@
+ struct cmsghdr *cmsg;
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+ if (cmsg->cmsg_level != SOL_IP)
+ continue;
+ switch (cmsg->cmsg_type) {
+diff -Nru a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+--- a/net/ipv6/datagram.c 2004-12-15 13:50:50 -08:00
++++ b/net/ipv6/datagram.c 2004-12-15 13:50:50 -08:00
+@@ -427,9 +427,7 @@
+ int addr_type;
+ struct net_device *dev = NULL;
+
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg)) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+diff -Nru a/net/sctp/socket.c b/net/sctp/socket.c
+--- a/net/sctp/socket.c 2004-12-15 13:50:50 -08:00
++++ b/net/sctp/socket.c 2004-12-15 13:50:50 -08:00
+@@ -4098,12 +4098,8 @@
+ for (cmsg = CMSG_FIRSTHDR(msg);
+ cmsg != NULL;
+ cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+- /* Check for minimum length. The SCM code has this check. */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+
+ /* Should we parse this header or ignore? */
+ if (cmsg->cmsg_level != IPPROTO_SCTP)
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-15 22:06:41 UTC (rev 2001)
@@ -4,3 +4,5 @@
+ unix-serialize-dgram.dpatch
+ drivers-firmware-pcdp-register.dpatch
+ arch-x86_64-sys32_ni-overflow.dpatch
++ scm_send-dos-fix.dpatch
++ igmp-src-list-fix.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-15 22:06:41 UTC (rev 2001)
@@ -27,7 +27,12 @@
* Restore BLKRRPART semantics - breaks partitioning programms on empty disks
(Maximilian Attems).
+ * [SECURITY] scm_send local DoS fix (advisory:
+ http://www.isec.pl/vulnerabilities/isec-0019-scm.txt) (Andres Salomon).
+ * [SECURITY] igmp remotely exploitable bugfix
+ (http://www.isec.pl/vulnerabilities/isec-0018-igmp.txt) (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 09:26:52 -0700
kernel-source-2.6.9 (2.6.9-3) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/igmp-src-list-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/igmp-src-list-fix.dpatch 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/igmp-src-list-fix.dpatch 2004-12-15 22:06:41 UTC (rev 2001)
@@ -0,0 +1,122 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] IGMP source filter fixes
+## DP: Patch author: Chris Wright <chrisw@osdl.org>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/14 11:06:25-08:00 chrisw@osdl.org
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/igmp.c
+# 2004/12/14 11:06:01-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/mcast.c
+# 2004/12/14 11:06:01-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c 2004-12-15 13:52:41 -08:00
++++ b/net/ipv4/igmp.c 2004-12-15 13:52:41 -08:00
+@@ -1778,12 +1778,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -1825,9 +1825,9 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c 2004-12-15 13:52:41 -08:00
++++ b/net/ipv6/mcast.c 2004-12-15 13:52:41 -08:00
+@@ -391,12 +391,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group,
++ rv = memcmp(&psl->sl_addr[i], source,
+ sizeof(struct in6_addr));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -437,8 +437,8 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+- if (rv >= 0)
++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/scm_send-dos-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/scm_send-dos-fix.dpatch 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/scm_send-dos-fix.dpatch 2004-12-15 22:06:41 UTC (rev 2001)
@@ -0,0 +1,117 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] Fix CMSG validation checks wrt. signedness.
+## DP: Patch author: Herbert Xu <herbert@gondor.apana.org.au>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 12:49:21-08:00 herbert@gondor.apana.org.au
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# Noticed by Georgi Guninski.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/socket.h
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +4 -0
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/core/scm.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv4/ip_sockglue.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -4
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv6/datagram.c
+# 2004/12/08 12:48:28-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/sctp/socket.c
+# 2004/12/08 12:48:29-08:00 herbert@gondor.apana.org.au +1 -5
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+diff -Nru a/include/linux/socket.h b/include/linux/socket.h
+--- a/include/linux/socket.h 2004-12-15 13:50:50 -08:00
++++ b/include/linux/socket.h 2004-12-15 13:50:50 -08:00
+@@ -90,6 +90,10 @@
+ (struct cmsghdr *)(ctl) : \
+ (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++ (cmsg)->cmsg_len <= (unsigned long) \
++ ((mhdr)->msg_controllen - \
++ ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+
+ /*
+ * This mess will go away with glibc
+diff -Nru a/net/core/scm.c b/net/core/scm.c
+--- a/net/core/scm.c 2004-12-15 13:50:50 -08:00
++++ b/net/core/scm.c 2004-12-15 13:50:50 -08:00
+@@ -127,9 +127,7 @@
+ for too short ancillary data object at all! Oops.
+ OK, let's add it...
+ */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen)
++ if (!CMSG_OK(msg, cmsg))
+ goto error;
+
+ if (cmsg->cmsg_level != SOL_SOCKET)
+diff -Nru a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+--- a/net/ipv4/ip_sockglue.c 2004-12-15 13:50:50 -08:00
++++ b/net/ipv4/ip_sockglue.c 2004-12-15 13:50:50 -08:00
+@@ -146,11 +146,8 @@
+ struct cmsghdr *cmsg;
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+ if (cmsg->cmsg_level != SOL_IP)
+ continue;
+ switch (cmsg->cmsg_type) {
+diff -Nru a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+--- a/net/ipv6/datagram.c 2004-12-15 13:50:50 -08:00
++++ b/net/ipv6/datagram.c 2004-12-15 13:50:50 -08:00
+@@ -427,9 +427,7 @@
+ int addr_type;
+ struct net_device *dev = NULL;
+
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg)) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+diff -Nru a/net/sctp/socket.c b/net/sctp/socket.c
+--- a/net/sctp/socket.c 2004-12-15 13:50:50 -08:00
++++ b/net/sctp/socket.c 2004-12-15 13:50:50 -08:00
+@@ -4098,12 +4098,8 @@
+ for (cmsg = CMSG_FIRSTHDR(msg);
+ cmsg != NULL;
+ cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+- /* Check for minimum length. The SCM code has this check. */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+
+ /* Should we parse this header or ignore? */
+ if (cmsg->cmsg_level != IPPROTO_SCTP)
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-15 13:12:11 UTC (rev 2000)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-15 22:06:41 UTC (rev 2001)
@@ -6,3 +6,5 @@
+ drivers-firmware-pcdp-register.dpatch
+ arch-x86_64-sys32_ni-overflow.dpatch
+ fs-partitions-check.dpatch
++ scm_send-dos-fix.dpatch
++ igmp-src-list-fix.dpatch