[kernel] r19785 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Feb 2 01:19:30 UTC 2013
Author: dannf
Date: Sat Feb 2 01:19:29 2013
New Revision: 19785
Log:
ipv6: discard overlapping fragment (CVE-2012-4444)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Jan 28 05:21:38 2013 (r19784)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sat Feb 2 01:19:29 2013 (r19785)
@@ -8,6 +8,7 @@
* ext4: Fix max file size and logical block counting of extent format file
(CVE-2011-2695)
* net: sk_add_backlog() take rmem_alloc into account (CVE-2010-4805)
+ * ipv6: discard overlapping fragment (CVE-2012-4444)
-- dann frazier <dannf at debian.org> Mon, 22 Oct 2012 20:34:13 -0500
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch Sat Feb 2 01:19:29 2013 (r19785)
@@ -0,0 +1,113 @@
+commit 70789d7052239992824628db8133de08dc78e593
+Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Date: Fri Sep 3 05:13:05 2010 +0000
+
+ ipv6: discard overlapping fragment
+
+ RFC5722 prohibits reassembling fragments when some data overlaps.
+
+ Bug spotted by Zhang Zuotao <zuotao.zhang at 6wind.com>.
+
+ Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
+index 545c414..64cfef1 100644
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -149,13 +149,6 @@ int ip6_frag_match(struct inet_frag_queue *q, void *a)
+ }
+ EXPORT_SYMBOL(ip6_frag_match);
+
+-/* Memory Tracking Functions. */
+-static void frag_kfree_skb(struct netns_frags *nf, struct sk_buff *skb)
+-{
+- atomic_sub(skb->truesize, &nf->mem);
+- kfree_skb(skb);
+-}
+-
+ void ip6_frag_init(struct inet_frag_queue *q, void *a)
+ {
+ struct frag_queue *fq = container_of(q, struct frag_queue, q);
+@@ -346,58 +339,22 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
+ }
+
+ found:
+- /* We found where to put this one. Check for overlap with
+- * preceding fragment, and, if needed, align things so that
+- * any overlaps are eliminated.
++ /* RFC5722, Section 4:
++ * When reassembling an IPv6 datagram, if
++ * one or more its constituent fragments is determined to be an
++ * overlapping fragment, the entire datagram (and any constituent
++ * fragments, including those not yet received) MUST be silently
++ * discarded.
+ */
+- if (prev) {
+- int i = (FRAG6_CB(prev)->offset + prev->len) - offset;
+
+- if (i > 0) {
+- offset += i;
+- if (end <= offset)
+- goto err;
+- if (!pskb_pull(skb, i))
+- goto err;
+- if (skb->ip_summed != CHECKSUM_UNNECESSARY)
+- skb->ip_summed = CHECKSUM_NONE;
+- }
+- }
++ /* Check for overlap with preceding fragment. */
++ if (prev &&
++ (FRAG6_CB(prev)->offset + prev->len) - offset > 0)
++ goto discard_fq;
+
+- /* Look for overlap with succeeding segments.
+- * If we can merge fragments, do it.
+- */
+- while (next && FRAG6_CB(next)->offset < end) {
+- int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */
+-
+- if (i < next->len) {
+- /* Eat head of the next overlapped fragment
+- * and leave the loop. The next ones cannot overlap.
+- */
+- if (!pskb_pull(next, i))
+- goto err;
+- FRAG6_CB(next)->offset += i; /* next fragment */
+- fq->q.meat -= i;
+- if (next->ip_summed != CHECKSUM_UNNECESSARY)
+- next->ip_summed = CHECKSUM_NONE;
+- break;
+- } else {
+- struct sk_buff *free_it = next;
+-
+- /* Old fragment is completely overridden with
+- * new one drop it.
+- */
+- next = next->next;
+-
+- if (prev)
+- prev->next = next;
+- else
+- fq->q.fragments = next;
+-
+- fq->q.meat -= free_it->len;
+- frag_kfree_skb(fq->q.net, free_it);
+- }
+- }
++ /* Look for overlap with succeeding segment. */
++ if (next && FRAG6_CB(next)->offset < end)
++ goto discard_fq;
+
+ FRAG6_CB(skb)->offset = offset;
+
+@@ -436,6 +393,8 @@ found:
+ write_unlock(&ip6_frags.lock);
+ return -1;
+
++discard_fq:
++ fq_kill(fq);
+ err:
+ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_REASMFAILS);
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Mon Jan 28 05:21:38 2013 (r19784)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Sat Feb 2 01:19:29 2013 (r19785)
@@ -12,3 +12,4 @@
- debian/net-Avoid-ABI-change-from-limit-for-socket-backlog.patch
+ bugfix/all/net-sk_add_backlog-take-remem_alloc-into-account.patch
+ debian/net-Avoid-ABI-change-from-limit-for-socket-backlog-2.patch
++ bugfix/all/ipv6-discard-overlapping-fragment.patch
More information about the Kernel-svn-changes
mailing list