[kernel] r7244 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Aug 27 04:02:48 UTC 2006 

Author: dannf
Date: Sun Aug 27 04:02:47 2006
New Revision: 7244

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/226_snmp-nat-mem-corruption-fix.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4

Log:
* 226_snmp-nat-mem-corruption-fix.diff
  [SECURITY] Fix memory corruption in snmp_trap_decode
  See CVE-2006-2444

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sun Aug 27 04:02:47 2006
@@ -19,8 +19,11 @@
     [SECURITY] Fix DoS vulnerability whereby a local user could attempt
     a dio/mmap and cause the sg driver to oops.
     See CVE-2006-1528
+  * 226_snmp-nat-mem-corruption-fix.diff
+    [SECURITY] Fix memory corruption in snmp_trap_decode
+    See CVE-2006-2444
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 21:30:40 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 22:01:32 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/226_snmp-nat-mem-corruption-fix.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/226_snmp-nat-mem-corruption-fix.diff	Sun Aug 27 04:02:47 2006
@@ -0,0 +1,65 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Tue, 23 May 2006 08:05:41 +0000 (-0700)
+Subject: [NETFILTER]: SNMP NAT: fix memory corruption
+X-Git-Tag: v2.4.33-rc1
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commitdiff;h=818593c85a382705afd1bcb5570d89a19238fc18
+
+[NETFILTER]: SNMP NAT: fix memory corruption
+
+Fix memory corruption caused by snmp_trap_decode:
+
+- When snmp_trap_decode fails before the id and address are allocated,
+  the pointers contain random memory, but are freed by the caller
+  (snmp_parse_mangle).
+
+- When snmp_trap_decode fails after allocating just the ID, it tries
+  to free both address and ID, but the address pointer still contains
+  random memory. The caller frees both ID and random memory again.
+
+- When snmp_trap_decode fails after allocating both, it frees both,
+  and the callers frees both again.
+
+The corruption can be triggered remotely when the ip_nat_snmp_basic
+module is loaded and traffic on port 161 or 162 is NATed.
+
+Found by multiple testcases of the trap-app and trap-enc groups of the
+PROTOS c06-snmpv1 testsuite.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
+@@ -996,12 +996,12 @@ static unsigned char snmp_trap_decode(st
+ 		
+ 	return 1;
+ 
++err_addr_free:
++	kfree((unsigned long *)trap->ip_address);
++
+ err_id_free:
+ 	kfree(trap->id);
+ 
+-err_addr_free:
+-	kfree((unsigned long *)trap->ip_address);
+-	
+ 	return 0;
+ }
+ 
+@@ -1119,11 +1119,10 @@ static int snmp_parse_mangle(unsigned ch
+ 		struct snmp_v1_trap trap;
+ 		unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
+ 		
+-		/* Discard trap allocations regardless */
+-		kfree(trap.id);
+-		kfree((unsigned long *)trap.ip_address);
+-		
+-		if (!ret)
++		if (ret) {
++			kfree(trap.id);
++			kfree((unsigned long *)trap.ip_address);
++		} else 
+ 			return ret;
+ 		
+ 	} else {

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	Sun Aug 27 04:02:47 2006
@@ -1,3 +1,4 @@
 + 223_nfs-handle-long-symlinks.diff
 + 224_cdrom-bad-cgc.buflen-assign.diff
 + 225_sg-no-mmap-VM_IO.diff
++ 226_snmp-nat-mem-corruption-fix.diff

More information about the Kernel-svn-changes mailing list