[linux] 01/07: ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jul 28 08:16:08 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 04ae6a30bf617a95fa98053a4b0637ec1b7940c6
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Jul 28 08:34:04 2017 +0200
ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
---
debian/changelog | 1 +
...overflow-of-offset-in-ip6_find_1stfragopt.patch | 55 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 57 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 92eff24..274c1d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
(CVE-2017-7482)
* brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
(CVE-2017-7541)
+ * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
-- Salvatore Bonaccorso <carnil at debian.org> Thu, 27 Jul 2017 22:02:24 +0200
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
new file mode 100644
index 0000000..d1b4d72
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
@@ -0,0 +1,55 @@
+From: Sabrina Dubroca <sd at queasysnail.net>
+Date: Wed, 19 Jul 2017 22:28:55 +0200
+Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
+Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
+
+In some cases, offset can overflow and can cause an infinite loop in
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
+
+This problem has been here since before the beginning of git history.
+
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/output_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index e9065b8d3af8..abb2c307fbe8 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
+
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+- u16 offset = sizeof(struct ipv6hdr);
++ unsigned int offset = sizeof(struct ipv6hdr);
+ unsigned int packet_len = skb_tail_pointer(skb) -
+ skb_network_header(skb);
+ int found_rhdr = 0;
+@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ while (offset <= packet_len) {
+ struct ipv6_opt_hdr *exthdr;
++ unsigned int len;
+
+ switch (**nexthdr) {
+
+@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ offset);
+- offset += ipv6_optlen(exthdr);
++ len = ipv6_optlen(exthdr);
++ if (len + offset >= IPV6_MAXPLEN)
++ return -EINVAL;
++ offset += len;
+ *nexthdr = &exthdr->nexthdr;
+ }
+
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index d030e04..8ac7954 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -716,6 +716,7 @@ bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
+bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list