[kernel] r7243 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Sun Aug 27 03:57:05 UTC 2006
Author: dannf
Date: Sun Aug 27 03:57:04 2006
New Revision: 7243
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
Log:
* snmp-nat-mem-corruption-fix.dpatch
[SECURITY] Fix memory corruption in snmp_trap_decode
See CVE-2006-2444
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Aug 27 03:57:04 2006
@@ -46,8 +46,11 @@
readv-writev-missing-lsm-check-compat.dpatch
[SECURITY] Add missing file_permission callback in readv/writev syscalls
See CVE-2006-1856
+ * snmp-nat-mem-corruption-fix.dpatch
+ [SECURITY] Fix memory corruption in snmp_trap_decode
+ See CVE-2006-2444
- -- dann frazier <dannf at debian.org> Sat, 26 Aug 2006 21:18:29 -0600
+ -- dann frazier <dannf at debian.org> Sat, 26 Aug 2006 21:52:14 -0600
kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5 Sun Aug 27 03:57:04 2006
@@ -9,3 +9,4 @@
+ exit-bogus-bugon.dpatch
+ readv-writev-missing-lsm-check.dpatch
+ readv-writev-missing-lsm-check-compat.dpatch
++ snmp-nat-mem-corruption-fix.dpatch
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch Sun Aug 27 03:57:04 2006
@@ -0,0 +1,67 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Sat, 20 May 2006 07:31:26 +0000 (+0200)
+Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+X-Git-Tag: v2.6.16.18
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8
+
+[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+
+CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
+
+Fix memory corruption caused by snmp_trap_decode:
+
+- When snmp_trap_decode fails before the id and address are allocated,
+ the pointers contain random memory, but are freed by the caller
+ (snmp_parse_mangle).
+
+- When snmp_trap_decode fails after allocating just the ID, it tries
+ to free both address and ID, but the address pointer still contains
+ random memory. The caller frees both ID and random memory again.
+
+- When snmp_trap_decode fails after allocating both, it frees both,
+ and the callers frees both again.
+
+The corruption can be triggered remotely when the ip_nat_snmp_basic
+module is loaded and traffic on port 161 or 162 is NATed.
+
+Found by multiple testcases of the trap-app and trap-enc groups of the
+PROTOS c06-snmpv1 testsuite.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+---
+
+--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
+@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st
+
+ return 1;
+
++err_addr_free:
++ kfree((unsigned long *)trap->ip_address);
++
+ err_id_free:
+ kfree(trap->id);
+
+-err_addr_free:
+- kfree((unsigned long *)trap->ip_address);
+-
+ return 0;
+ }
+
+@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch
+ struct snmp_v1_trap trap;
+ unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
+
+- /* Discard trap allocations regardless */
+- kfree(trap.id);
+- kfree((unsigned long *)trap.ip_address);
+-
+- if (!ret)
++ if (ret) {
++ kfree(trap.id);
++ kfree((unsigned long *)trap.ip_address);
++ } else
+ return ret;
+
+ } else {
More information about the Kernel-svn-changes
mailing list