r2498 - in trunk: kernel/source kernel/source/kernel-source-2.6.10-2.6.10 kernel/source/kernel-source-2.6.10-2.6.10/debian kernel/source/kernel-source-2.6.10-2.6.10/debian/patches kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series kernel/source/kernel-source-2.6.8-2.6.8/debian kernel/source/kernel-source-2.6.8-2.6.8/debian/patches kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series kernel/source/kernel-source-2.6.9-2.6.9/debian kernel/source/kernel-source-2.6.9-2.6.9/debian/patches kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series kernel-2.4/source kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series kernel-2.4/source/kernel-source-2.4.29-2.4.29 kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/series
Joshua Kwan
joshk@costa.debian.org
Thu, 17 Feb 2005 01:20:28 +0100
Author: joshk
Date: 2005-02-17 01:20:25 +0100 (Thu, 17 Feb 2005)
New Revision: 2498
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/134_skb_reset_ip_summed.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/098_skb_reset_ip_summed.diff
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/skb-reset-ip_summed.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/skb-reset-ip_summed.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/skb-reset-ip_summed.dpatch
Modified:
trunk/kernel-2.4/source/
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/
trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/series/2.4.29-1
trunk/kernel/source/
trunk/kernel/source/kernel-source-2.6.10-2.6.10/
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6
Log:
add skb-reset-ip_summed.dpatch everywhere
Property changes on: trunk/kernel/source
___________________________________________________________________
Name: svn:ignore
+ orig
*.orig.tar.gz
Property changes on: trunk/kernel/source/kernel-source-2.6.10-2.6.10
___________________________________________________________________
Name: svn:ignore
- kernel
crypto
include
net
scripts
sound
CREDITS
README
init
lib
REPORTING-BUGS
security
fs
COPYING
mm
Documentation
usr
MAINTAINERS
ipc
arch
Makefile
drivers
+ kernel
crypto
include
net
scripts
sound
CREDITS
README
init
lib
REPORTING-BUGS
security
fs
COPYING
mm
Documentation
usr
MAINTAINERS
ipc
arch
Makefile
drivers
version.Debian
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-02-17 00:20:25 UTC (rev 2498)
@@ -8,8 +8,11 @@
* atyfb-sparc.dpatch: Fix post-2.6.10 atyfb breakage on SPARC32/64.
closes: #295488 (Joshua Kwan)
+
+ * skb-reset-ip_summed.dpatch: resolve checksumming exploit in
+ fragmented packet forwarding (Joshua Kwan)
- -- Joshua Kwan <joshk@triplehelix.org> Tue, 15 Feb 2005 19:34:33 -0800
+ -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 16:14:19 -0800
kernel-source-2.6.10 (2.6.10-5) unstable; urgency=low
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-02-17 00:20:25 UTC (rev 2498)
@@ -1 +1,2 @@
+ atyfb-sparc.dpatch
++ skb-reset-ip_summed.dpatch
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/skb-reset-ip_summed.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/skb-reset-ip_summed.dpatch 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/skb-reset-ip_summed.dpatch 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1,66 @@
+# origin: bk
+# key: 41f59581p1swNaow4K1aBglV-q2jfQ (linux-2.5)
+# description: packet forwarding DoS issue
+# inclusion: projected 2.4.29 as backport
+# revision date: 2005-02-16
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/24 16:40:33-08:00 herbert@gondor.apana.org.au
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/ip6_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+--- a/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
+@@ -504,6 +504,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ frag->nh.raw = __skb_push(frag, hlen);
+ memcpy(frag->nh.raw, iph, hlen);
+diff -Nru a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+--- a/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
+@@ -592,6 +592,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
+ frag->nh.raw = __skb_push(frag, hlen);
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-02-17 00:20:25 UTC (rev 2498)
@@ -20,8 +20,11 @@
* Updated apply script so it can handle point versions
(Simon Horman)
+
+ * skb-reset-ip_summed.dpatch: resolve checksumming exploit in
+ fragmented packet forwarding (Joshua Kwan)
- -- Simon Horman <horms@debian.org> Mon, 14 Feb 2005 15:42:56 +0900
+ -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 16:11:59 -0800
kernel-source-2.6.8 (2.6.8-13) unstable; urgency=high
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14 2005-02-17 00:20:25 UTC (rev 2498)
@@ -5,4 +5,4 @@
+ ia64-ptrace-speedup.dpatch
+ ia64-ptrace-fixes.dpatch
+ ia64-unwind-fix.dpatch
-
++ skb-reset-ip_summed.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/skb-reset-ip_summed.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/skb-reset-ip_summed.dpatch 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/skb-reset-ip_summed.dpatch 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1,66 @@
+# origin: bk
+# key: 41f59581p1swNaow4K1aBglV-q2jfQ (linux-2.5)
+# description: packet forwarding DoS issue
+# inclusion: projected 2.4.29 as backport
+# revision date: 2005-02-16
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/24 16:40:33-08:00 herbert@gondor.apana.org.au
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/ip6_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+--- a/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
+@@ -504,6 +504,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ frag->nh.raw = __skb_push(frag, hlen);
+ memcpy(frag->nh.raw, iph, hlen);
+diff -Nru a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+--- a/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
+@@ -592,6 +592,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
+ frag->nh.raw = __skb_push(frag, hlen);
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-02-17 00:20:25 UTC (rev 2498)
@@ -27,8 +27,11 @@
* Updated apply script so it can handle point versions
(Simon Horman)
+
+ * skb-reset-ip_summed.dpatch: resolve checksumming exploit in
+ fragmented packet forwarding (Joshua Kwan)
- -- Simon Horman <horms@debian.org> Mon, 14 Feb 2005 15:47:10 +0900
+ -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 16:12:53 -0800
kernel-source-2.6.9 (2.6.9-5) unstable; urgency=low
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6 2005-02-17 00:20:25 UTC (rev 2498)
@@ -2,3 +2,4 @@
+ 034-stack_resize_exploit.dpatch
+ 035-do_brk_security_fixes-2.dpatch
+ au88x0-use-short-name.dpatch
++ skb-reset-ip_summed.dpatch
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/skb-reset-ip_summed.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/skb-reset-ip_summed.dpatch 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/skb-reset-ip_summed.dpatch 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1,66 @@
+# origin: bk
+# key: 41f59581p1swNaow4K1aBglV-q2jfQ (linux-2.5)
+# description: packet forwarding DoS issue
+# inclusion: projected 2.4.29 as backport
+# revision date: 2005-02-16
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/24 16:40:33-08:00 herbert@gondor.apana.org.au
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/ip6_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+--- a/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
+@@ -504,6 +504,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ frag->nh.raw = __skb_push(frag, hlen);
+ memcpy(frag->nh.raw, iph, hlen);
+diff -Nru a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+--- a/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
+@@ -592,6 +592,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
+ frag->nh.raw = __skb_push(frag, hlen);
Property changes on: trunk/kernel-2.4/source
___________________________________________________________________
Name: svn:ignore
+ orig
*.orig.tar.gz
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-02-17 00:20:25 UTC (rev 2498)
@@ -8,8 +8,11 @@
* Updated apply script so it can handle point versions
(Simon Horman)
+
+ * 134_skb_reset_ip_summed.diff: resolve checksumming exploit in
+ fragmented packet forwarding (Joshua Kwan)
- -- Simon Horman <horms@debian.org> Mon, 14 Feb 2005 14:34:54 +0900
+ -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 16:06:48 -0800
kernel-source-2.4.27 (2.4.27-8) unstable; urgency=high
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/134_skb_reset_ip_summed.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/134_skb_reset_ip_summed.diff 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/134_skb_reset_ip_summed.diff 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1,66 @@
+# origin: bk
+# key: 41f59581p1swNaow4K1aBglV-q2jfQ (linux-2.5)
+# description: packet forwarding DoS issue
+# inclusion: projected 2.4.29 as backport
+# revision date: 2005-02-16
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/24 16:40:33-08:00 herbert@gondor.apana.org.au
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/ip6_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+--- a/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
+@@ -504,6 +504,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ frag->nh.raw = __skb_push(frag, hlen);
+ memcpy(frag->nh.raw, iph, hlen);
+diff -Nru a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+--- a/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
+@@ -592,6 +592,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
+ frag->nh.raw = __skb_push(frag, hlen);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1 @@
++ 134_skb_reset_ip_summed.diff
Property changes on: trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29
___________________________________________________________________
Name: svn:ignore
- kernel
crypto
include
net
scripts
README
CREDITS
init
lib
Rules.make
REPORTING-BUGS
fs
COPYING
mm
Documentation
MAINTAINERS
ipc
arch
Makefile
drivers
+ kernel
crypto
include
net
scripts
README
CREDITS
init
lib
Rules.make
REPORTING-BUGS
fs
COPYING
mm
Documentation
MAINTAINERS
ipc
arch
Makefile
drivers
version.Debian
Modified: trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/changelog 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/changelog 2005-02-17 00:20:25 UTC (rev 2498)
@@ -9,10 +9,12 @@
- 114-binfmt_aout-CAN-2004-1074.diff (backport)
* Patches added
- 097_ipsec.diff (Herbert's backport)
+ - 098_skb_reset_ip_summed.diff: resolve checksumming exploit in
+ fragmented packet forwarding
- 101-503: add Willy Tarreau's hotfix patchset (2.4.29-hf2), addressing
some new security issues and bugs in 2.4.29
- -- Joshua Kwan <joshk@triplehelix.org> Tue, 15 Feb 2005 23:30:34 -0800
+ -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 16:10:45 -0800
kernel-source-2.4.28 (2.4.28-1) unstable; urgency=low
Added: trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/098_skb_reset_ip_summed.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/098_skb_reset_ip_summed.diff 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/098_skb_reset_ip_summed.diff 2005-02-17 00:20:25 UTC (rev 2498)
@@ -0,0 +1,66 @@
+# origin: bk
+# key: 41f59581p1swNaow4K1aBglV-q2jfQ (linux-2.5)
+# description: packet forwarding DoS issue
+# inclusion: projected 2.4.29 as backport
+# revision date: 2005-02-16
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/24 16:40:33-08:00 herbert@gondor.apana.org.au
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv6/ip6_output.c
+# 2005/01/24 16:40:10-08:00 herbert@gondor.apana.org.au +1 -0
+# [IPV4/IPV6]: In ip_fragment(), reset ip_summed field on SKB sub-frags.
+#
+# If we forward a fragmented packet, we can have ip_summed
+# set to CHECKSUM_HW or similar. This is fine for local
+# protocol processing, but once if we are forwarding this
+# packet we want to reset ip_summed to CHECKSUM_NONE.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+--- a/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv4/ip_output.c 2005-02-16 15:58:30 -08:00
+@@ -504,6 +504,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ frag->nh.raw = __skb_push(frag, hlen);
+ memcpy(frag->nh.raw, iph, hlen);
+diff -Nru a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+--- a/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
++++ b/net/ipv6/ip6_output.c 2005-02-16 15:58:30 -08:00
+@@ -592,6 +592,7 @@
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+ if (frag) {
++ frag->ip_summed = CHECKSUM_NONE;
+ frag->h.raw = frag->data;
+ fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
+ frag->nh.raw = __skb_push(frag, hlen);
Modified: trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/series/2.4.29-1
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/series/2.4.29-1 2005-02-16 21:20:18 UTC (rev 2497)
+++ trunk/kernel-2.4/source/kernel-source-2.4.29-2.4.29/debian/patches/series/2.4.29-1 2005-02-17 00:20:25 UTC (rev 2498)
@@ -90,6 +90,7 @@
+ 095_sparc32_initrd_memcpy.diff
+ 096_megaraid2_proc_name.diff
+ 097_ipsec.diff
++ 098_skb_reset_ip_summed.diff
+ 101-2.4.29-flash_erase-checks-cap_sys_admin-1.diff
+ 102-2.4.29-rw_verify_area-against-file-offset-overflow-2.diff
+ 103-2.4.29-rw_verify_area-missing-f_maxcount-1.diff