[kernel] r7243 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Aug 27 03:57:05 UTC 2006 

Author: dannf
Date: Sun Aug 27 03:57:04 2006
New Revision: 7243

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* snmp-nat-mem-corruption-fix.dpatch
  [SECURITY] Fix memory corruption in snmp_trap_decode
  See CVE-2006-2444

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Aug 27 03:57:04 2006
@@ -46,8 +46,11 @@
     readv-writev-missing-lsm-check-compat.dpatch
     [SECURITY] Add missing file_permission callback in readv/writev syscalls
     See CVE-2006-1856
+  * snmp-nat-mem-corruption-fix.dpatch
+    [SECURITY] Fix memory corruption in snmp_trap_decode
+    See CVE-2006-2444
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 21:18:29 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 21:52:14 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Sun Aug 27 03:57:04 2006
@@ -9,3 +9,4 @@
 + exit-bogus-bugon.dpatch
 + readv-writev-missing-lsm-check.dpatch
 + readv-writev-missing-lsm-check-compat.dpatch
++ snmp-nat-mem-corruption-fix.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch	Sun Aug 27 03:57:04 2006
@@ -0,0 +1,67 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Sat, 20 May 2006 07:31:26 +0000 (+0200)
+Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+X-Git-Tag: v2.6.16.18
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8
+
+[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+
+CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
+
+Fix memory corruption caused by snmp_trap_decode:
+
+- When snmp_trap_decode fails before the id and address are allocated,
+  the pointers contain random memory, but are freed by the caller
+  (snmp_parse_mangle).
+
+- When snmp_trap_decode fails after allocating just the ID, it tries
+  to free both address and ID, but the address pointer still contains
+  random memory. The caller frees both ID and random memory again.
+
+- When snmp_trap_decode fails after allocating both, it frees both,
+  and the callers frees both again.
+
+The corruption can be triggered remotely when the ip_nat_snmp_basic
+module is loaded and traffic on port 161 or 162 is NATed.
+
+Found by multiple testcases of the trap-app and trap-enc groups of the
+PROTOS c06-snmpv1 testsuite.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+---
+
+--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
+@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st
+ 		
+ 	return 1;
+ 
++err_addr_free:
++	kfree((unsigned long *)trap->ip_address);
++
+ err_id_free:
+ 	kfree(trap->id);
+ 
+-err_addr_free:
+-	kfree((unsigned long *)trap->ip_address);
+-	
+ 	return 0;
+ }
+ 
+@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch
+ 		struct snmp_v1_trap trap;
+ 		unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
+ 		
+-		/* Discard trap allocations regardless */
+-		kfree(trap.id);
+-		kfree((unsigned long *)trap.ip_address);
+-		
+-		if (!ret)
++		if (ret) {
++			kfree(trap.id);
++			kfree((unsigned long *)trap.ip_address);
++		} else 
+ 			return ret;
+ 		
+ 	} else {

More information about the Kernel-svn-changes mailing list