Home Home > GIT Browse > SLES10_SP4_BRANCH

Tools

Branches

openSUSE

Upstream

SLE

summaryrefslogtreecommitdiff
authorJiri Bohac <jbohac@suse.cz>2013-05-16 19:52:34 (GMT)
committer Jiri Bohac <jbohac@suse.cz>2013-05-16 19:52:34 (GMT)
commit12adc02a509d27ab22a97b0ec2fa4640943c011f (patch) (side-by-side diff)
tree56c5c877cafebdf6f550fc6acc01fab1b6820ac2
parent364e7074119580b1d1bdcf904141996e0c672d53 (diff)
- patches.fixes/ipv6-discard-overlapping-fragment.patch: ipv6:SLES10_SP4_BRANCH
discard overlapping fragment (CVE-2012-4444, bnc#789831).
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--kernel-source.changes6
-rw-r--r--patches.fixes/ipv6-discard-overlapping-fragment.patch105
-rw-r--r--series.conf2
3 files changed, 112 insertions, 1 deletions
diff --git a/kernel-source.changes b/kernel-source.changes
index 9b5e479..8e97882 100644
--- a/kernel-source.changes
+++ b/kernel-source.changes
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Thu May 16 21:51:35 CEST 2013 - jbohac@suse.cz
+
+- patches.fixes/ipv6-discard-overlapping-fragment.patch: ipv6:
+ discard overlapping fragment (CVE-2012-4444, bnc#789831).
+
+-------------------------------------------------------------------
Mon May 13 10:40:33 CEST 2013 - mhocko@suse.cz
- patches.fixes/PATCH-hugetlb-preserve-hugetlb-pte-dirty-state.patch:
diff --git a/patches.fixes/ipv6-discard-overlapping-fragment.patch b/patches.fixes/ipv6-discard-overlapping-fragment.patch
new file mode 100644
index 0000000..de8870c
--- a/dev/null
+++ b/patches.fixes/ipv6-discard-overlapping-fragment.patch
@@ -0,0 +1,105 @@
+From 70789d7052239992824628db8133de08dc78e593 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 3 Sep 2010 05:13:05 +0000
+Subject: [PATCH] ipv6: discard overlapping fragment
+Git-commit: 70789d7052239992824628db8133de08dc78e593
+Patch-mainline: 2.6.36-rc4
+References: CVE-2012-4444, bnc#789831
+
+RFC5722 prohibits reassembling fragments when some data overlaps.
+
+Bug spotted by Zhang Zuotao <zuotao.zhang@6wind.com>.
+
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+---
+ net/ipv6/reassembly.c | 66 ++++++++++++--------------------------------------
+ 1 file changed, 16 insertions(+), 50 deletions(-)
+
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -485,58 +485,22 @@ static void ip6_frag_queue(struct frag_q
+ prev = next;
+ }
+
+- /* We found where to put this one. Check for overlap with
+- * preceding fragment, and, if needed, align things so that
+- * any overlaps are eliminated.
++ /* RFC5722, Section 4:
++ * When reassembling an IPv6 datagram, if
++ * one or more its constituent fragments is determined to be an
++ * overlapping fragment, the entire datagram (and any constituent
++ * fragments, including those not yet received) MUST be silently
++ * discarded.
+ */
+- if (prev) {
+- int i = (FRAG6_CB(prev)->offset + prev->len) - offset;
+
+- if (i > 0) {
+- offset += i;
+- if (end <= offset)
+- goto err;
+- if (!pskb_pull(skb, i))
+- goto err;
+- if (skb->ip_summed != CHECKSUM_UNNECESSARY)
+- skb->ip_summed = CHECKSUM_NONE;
+- }
+- }
+-
+- /* Look for overlap with succeeding segments.
+- * If we can merge fragments, do it.
+- */
+- while (next && FRAG6_CB(next)->offset < end) {
+- int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */
+-
+- if (i < next->len) {
+- /* Eat head of the next overlapped fragment
+- * and leave the loop. The next ones cannot overlap.
+- */
+- if (!pskb_pull(next, i))
+- goto err;
+- FRAG6_CB(next)->offset += i; /* next fragment */
+- fq->meat -= i;
+- if (next->ip_summed != CHECKSUM_UNNECESSARY)
+- next->ip_summed = CHECKSUM_NONE;
+- break;
+- } else {
+- struct sk_buff *free_it = next;
+-
+- /* Old fragment is completely overridden with
+- * new one drop it.
+- */
+- next = next->next;
+-
+- if (prev)
+- prev->next = next;
+- else
+- fq->fragments = next;
+-
+- fq->meat -= free_it->len;
+- frag_kfree_skb(free_it, NULL);
+- }
+- }
++ /* Check for overlap with preceding fragment. */
++ if (prev &&
++ (FRAG6_CB(prev)->offset + prev->len) - offset > 0)
++ goto discard_fq;
++
++ /* Look for overlap with succeeding segment. */
++ if (next && FRAG6_CB(next)->offset < end)
++ goto discard_fq;
+
+ FRAG6_CB(skb)->offset = offset;
+
+@@ -566,6 +530,8 @@ static void ip6_frag_queue(struct frag_q
+ write_unlock(&ip6_frag_lock);
+ return;
+
++discard_fq:
++ fq_kill(fq);
+ err:
+ IP6_INC_STATS(IPSTATS_MIB_REASMFAILS);
+ kfree_skb(skb);
diff --git a/series.conf b/series.conf
index 0268638..b3ad405 100644
--- a/series.conf
+++ b/series.conf
@@ -1827,7 +1827,7 @@
patches.fixes/nat-dont-add-nat-extension-for-confirmed-conntracks.patch
patches.fixes/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
patches.fixes/tcp-fix-premature-termination-of-FIN_WAIT2-time-wait.patch
-
+ patches.fixes/ipv6-discard-overlapping-fragment.patch
########################################################
# These patches are from the netfilter team, and