[kernel] r14184 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Aug 24 15:20:49 UTC 2009

Author: dannf
Date: Mon Aug 24 15:20:47 2009
New Revision: 14184

Log:
[UDP]: Fix MSG_PROBE crash (CVE-2009-2698)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/udp-fix-MSG_PROBE-crash.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/24etch4

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	Sun Aug 23 23:27:44 2009	(r14183)
+++ dists/etch-security/linux-2.6/debian/changelog	Mon Aug 24 15:20:47 2009	(r14184)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.18.dfsg.1-24etch4) UNRELEASED; urgency=high
+linux-2.6 (2.6.18.dfsg.1-24etch4) oldstable-security; urgency=high
 
   * [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
   * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
@@ -6,8 +6,9 @@
   * execve: must clear current->clear_child_tid (CVE-2009-2848)
   * md: avoid dereferencing NULL pointer when accessing suspend_* sysfs
     attributes (CVE-2009-2849)
+  * [UDP]: Fix MSG_PROBE crash (CVE-2009-2698)
 
- -- dann frazier <dannf at debian.org>  Thu, 20 Aug 2009 14:20:23 -0600
+ -- dann frazier <dannf at debian.org>  Thu, 20 Aug 2009 15:00:41 -0600
 
 linux-2.6 (2.6.18.dfsg.1-24etch3) oldstable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/udp-fix-MSG_PROBE-crash.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/udp-fix-MSG_PROBE-crash.patch	Mon Aug 24 15:20:47 2009	(r14184)
@@ -0,0 +1,43 @@
+commit 1e0c14f49d6b393179f423abbac47f85618d3d46
+Author: Herbert Xu <herbert at gondor.apana.org.au>
+Date:   Tue Oct 3 14:35:49 2006 -0700
+
+    [UDP]: Fix MSG_PROBE crash
+    
+    UDP tracks corking status through the pending variable.  The
+    IP layer also tracks it through the socket write queue.  It
+    is possible for the two to get out of sync when MSG_PROBE is
+    used.
+    
+    This patch changes UDP to check the write queue to ensure
+    that the two stay in sync.
+    
+    Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 6d6142f..865d752 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -675,6 +675,8 @@ do_append_data:
+ 		udp_flush_pending_frames(sk);
+ 	else if (!corkreq)
+ 		err = udp_push_pending_frames(sk, up);
++	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
++		up->pending = 0;
+ 	release_sock(sk);
+ 
+ out:
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 552ec0f..e0c3934 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -770,6 +770,8 @@ do_append_data:
+ 		udp_v6_flush_pending_frames(sk);
+ 	else if (!corkreq)
+ 		err = udp_v6_push_pending_frames(sk, up);
++	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
++		up->pending = 0;
+ 
+ 	if (dst) {
+ 		if (connected) {

Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch4
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch4	Sun Aug 23 23:27:44 2009	(r14183)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch4	Mon Aug 24 15:20:47 2009	(r14184)
@@ -3,3 +3,4 @@
 + bugfix/all/do_sigaltstack-small-cleanups.patch
 + bugfix/all/execve-must-clear-current-clear_child_tid.patch
 + bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch
++ bugfix/all/udp-fix-MSG_PROBE-crash.patch

