FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 11-24-2011, 04:46 PM
Herton Ronaldo Krzesinski
 
Default Ack: CVE-2011-4326

On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
>
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
>
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...
>
> -Stefan
>
> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <shanwei@cn.fujitsu.com>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
>
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
>
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
>
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
>
> Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> BugLink: http://bugs.launchpad.net/bugs/894373
> CVE-2011-4326
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
> net/ipv6/udp.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
> skb->ip_summed = CHECKSUM_NONE;
>
> /* Check if there is enough headroom to insert fragment header. */
> - if ((skb_headroom(skb) < frag_hdr_sz) &&
> + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
> pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
> goto out;
>
> --
> 1.7.5.4
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 08:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org