[kernel] r17931 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Aug 15 06:06:45 UTC 2011
Author: dannf
Date: Mon Aug 15 06:06:44 2011
New Revision: 17931
Log:
gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 15 06:06:38 2011 (r17930)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 15 06:06:44 2011 (r17931)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.32-35squeeze1) UNRELEASED; urgency=high
+linux-2.6 (2.6.32-35squeeze2) UNRELEASED; urgency=high
[ dann frazier ]
* Fix regression in fix for CVE-2011-1768 (Closes: #633738)
@@ -11,11 +11,12 @@
* Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
* nl80211: fix check for valid SSID size in scan operations
* net_sched: Fix qdisc_notify() (CVE-2011-2525)
+ * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
- -- dann frazier <dannf at debian.org> Thu, 21 Jul 2011 00:31:53 -0600
+ -- dann frazier <dannf at debian.org> Mon, 15 Aug 2011 00:04:12 -0600
linux-2.6 (2.6.32-35) stable; urgency=high
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch Mon Aug 15 06:06:44 2011 (r17931)
@@ -0,0 +1,34 @@
+commit 17dd759c67f21e34f2156abcf415e1f60605a188
+Author: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed Jul 27 06:16:28 2011 -0700
+
+ gro: Only reset frag0 when skb can be pulled
+
+ Currently skb_gro_header_slow unconditionally resets frag0 and
+ frag0_len. However, when we can't pull on the skb this leaves
+ the GRO fields in an inconsistent state.
+
+ This patch fixes this by only resetting those fields after the
+ pskb_may_pull test.
+
+ Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc0..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ unsigned int offset)
+ {
++ if (!pskb_may_pull(skb, hlen))
++ return NULL;
++
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+- return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++ return skb->data + offset;
+ }
+
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 06:06:38 2011 (r17930)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 06:06:44 2011 (r17931)
@@ -13,3 +13,4 @@
+ bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
+ bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
+ bugfix/all/net_sched-Fix-qdisc_notify.patch
++ bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
More information about the Kernel-svn-changes
mailing list