r3413 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Thu, 30 Jun 2005 07:39:17 +0000
Author: horms
Date: 2005-06-30 07:39:16 +0000 (Thu, 30 Jun 2005)
New Revision: 3413
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-1.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-2.dpatch
Removed:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
2.6.8 does not have eth_hdr()
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-06-30 06:16:34 UTC (rev 3412)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-06-30 07:39:16 UTC (rev 3413)
@@ -84,10 +84,11 @@
* net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch
Fix oops when mangling and brouting and tcpdumping packets
- Needed for net-bridge-forwarding-poison.dpatch
+ Needed for net-bridge-forwarding-poison-1.dpatch
(Simon Horman)
- * [SECURITY] net-bridge-forwarding-poison.dpatch
+ * [SECURITY] net-bridge-forwarding-poison-2.dpatch,
+ net-bridge-forwarding-poison-2.dpatch:
Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
@@ -110,7 +111,7 @@
* net-ipv4-ipvs-conn_tab-race.dpatch
Fix race condition on p_vs_conn_tab list modification
- -- Simon Horman <horms@debian.org> Thu, 30 Jun 2005 15:11:25 +0900
+ -- Simon Horman <horms@debian.org> Thu, 30 Jun 2005 16:35:19 +0900
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
Copied: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-1.dpatch (from rev 3409, trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch)
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-2.dpatch 2005-06-30 06:16:34 UTC (rev 3412)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison-2.dpatch 2005-06-30 07:39:16 UTC (rev 3413)
@@ -0,0 +1,29 @@
+# origin: Horms <horms@debian.org>
+# inclusion: backport for 2.6.8 not appropriate for upstream
+# descrition: 2.6.8 doesn't have eth_hdr()
+# revision date: Thu, 30 Jun 2005 16:34:22 +0900
+#
+# Signed-off-by: Horms <horms@debian.org>
+#
+--- a/net/bridge/br_input.c 2005-06-30 16:32:04.000000000 +0900
++++ b/net/bridge/br_input.c 2005-06-30 16:32:16.000000000 +0900
+@@ -55,7 +55,7 @@
+ int passedup = 0;
+
+ /* insert into forwarding database after filtering to avoid spoofing */
+- br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++ br_fdb_insert(p->br, p, skb->mac.ethernet->h_source, 0);
+
+ if (br->dev->flags & IFF_PROMISC) {
+ struct sk_buff *skb2;
+--- a/net/bridge/br_stp_bpdu.c 2005-06-30 16:36:25.000000000 +0900
++++ b/net/bridge/br_stp_bpdu.c 2005-06-30 16:36:41.000000000 +0900
+@@ -141,7 +141,7 @@
+ unsigned char *buf;
+
+ /* insert into forwarding database after filtering to avoid spoofing */
+- br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++ br_fdb_insert(p->br, p, skb->mac.ethernet->h_source, 0);
+
+ /* need at least the 802 and STP headers */
+ if (!pskb_may_pull(skb, sizeof(header)+1) ||
Deleted: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch 2005-06-30 06:16:34 UTC (rev 3412)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch 2005-06-30 07:39:16 UTC (rev 3413)
@@ -1,62 +0,0 @@
-commit c5187a40291642ae66928dd54bc83117286067d3
-tree edd6698f06f6bda7f867f99bc416df08feacf506
-parent 39dbf77a9f6acde730378c8b83879fc33ff4a596
-author Stephen Hemminger <shemminger@osdl.org> 1118248209 -0700
-committer Chris Wright <chrisw@osdl.org> 1118544326 -0700
-
-[PATCH] prevent bad forwarding table updates
-
-Avoid poisoning of the bridge forwarding table by frames that have been
-dropped by filtering. This prevents spoofed source addresses on hostile
-side of bridge from causing packet leakage, a small but possible security
-risk.
-
-Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
-Signed-off-by: Chris Wright <chrisw@osdl.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
-I:100644 100644 943d5ddc5f26e626031b0ab0a0865b9685474fe2 0c4a8aa0375f46e38cf8c4c60faabbb906ac7a2b M net/bridge/br_input.c
-R:100644 100644 b91a875aca01c23f0b37b7916cad225e0c5f9fe5 f62e08d68658348dbd66f7df2ed3eb67dbd76630 M net/bridge/br_stp_bpdu.c
-
-Key:
-S: Skipped
-I: Included Included verbatim
-D: Deleted Manually deleted by subsequent user edit
-R: Revised Manually revised by subsequent user edit
-
-diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
- struct net_bridge_fdb_entry *dst;
- int passedup = 0;
-
-+ /* insert into forwarding database after filtering to avoid spoofing */
-+ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
-+
- if (br->dev->flags & IFF_PROMISC) {
- struct sk_buff *skb2;
-
-@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
- if (eth_hdr(skb)->h_source[0] & 1)
- goto err;
-
-- if (p->state == BR_STATE_LEARNING ||
-- p->state == BR_STATE_FORWARDING)
-+ if (p->state == BR_STATE_LEARNING)
- br_fdb_insert(p->br, p, skb->mac.ethernet->h_source, 0);
-
- if (p->br->stp_enabled &&
-diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
---- a/net/bridge/br_stp_bpdu.c
-+++ b/net/bridge/br_stp_bpdu.c
-@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
- struct net_bridge *br = p->br;
- unsigned char *buf;
-
-+ /* insert into forwarding database after filtering to avoid spoofing */
-+ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
-+
- /* need at least the 802 and STP headers */
- if (!pskb_may_pull(skb, sizeof(header)+1) ||
- memcmp(skb->data, header, sizeof(header)))
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-06-30 06:16:34 UTC (rev 3412)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-06-30 07:39:16 UTC (rev 3413)
@@ -17,7 +17,8 @@
+ net-bridge-netfilter-etables-smp-race.dpatch
+ net-bridge-mangle-oops-1.dpatch
+ net-bridge-mangle-oops-2.dpatch
-+ net-bridge-forwarding-poison.dpatch
++ net-bridge-forwarding-poison-1.dpatch
++ net-bridge-forwarding-poison-2.dpatch
+ net-ipv4-netfilter-ip_queue-deadlock.dpatch
+ net-rose-ndigis-verify.dpatch
+ sound-usb-usbaudio-unplug-oops.dpatch