On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...
lucid/ec2 is a rebase (though has manual intervention)
lucid/fsl-imx51 is not a rebase.
lucid/mvl-dove & maverick/mvl-dove are rebased (lucid is off support but
we rebase that to get maverick/mvl-dove).
ti-omap4 before oneiric are not rebased, oneiric and later are.
All of the lts-backport branches are effectivly rebased too.
You can find the rebase applications I consider from a CVE standpoint in
the kteam-tools/cve-tools/cve-rebase-transfer at the bottom.
> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <firstname.lastname@example.org>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
> Signed-off-by: Shan Wei <email@example.com>
> Acked-by: Herbert Xu <firstname.lastname@example.org>
> Signed-off-by: David S. Miller <email@example.com>
> BugLink: http://bugs.launchpad.net/bugs/894373
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <firstname.lastname@example.org>
> net/ipv6/udp.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
> skb->ip_summed = CHECKSUM_NONE;
> /* Check if there is enough headroom to insert fragment header. */
> - if ((skb_headroom(skb) < frag_hdr_sz) &&
> + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
> pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
> goto out;
Matches the upstream commit and seems to do what is claimed.
Acked-by: Andy Whitcroft <email@example.com>
kernel-team mailing list