CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
This commit is contained in:
parent
a6bed447f4
commit
017cb84224
|
@ -0,0 +1,40 @@
|
|||
From 0e033e04c2678dbbe74a46b23fffb7bb918c288e Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Tue, 5 Nov 2013 02:41:27 +0100
|
||||
Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
|
||||
|
||||
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
|
||||
fragmentation for tunnel traffic.") changed the calculation if
|
||||
there is enough space to include a fragment header in the skb from a
|
||||
skb->mac_header dervived one to skb_headroom. Because we already peeled
|
||||
off the skb to transport_header this is wrong. Change this back to check
|
||||
if we have enough room before the mac_header.
|
||||
|
||||
This fixes a panic Saran Neti reported. He used the tbf scheduler which
|
||||
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
|
||||
because the skb was erroneously not expanded at the head.
|
||||
|
||||
Reported-by: Saran Neti <Saran.Neti@telus.com>
|
||||
Cc: Pravin B Shelar <pshelar@nicira.com>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/udp_offload.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
|
||||
index 08e23b0..e7359f9 100644
|
||||
--- a/net/ipv6/udp_offload.c
|
||||
+++ b/net/ipv6/udp_offload.c
|
||||
@@ -90,7 +90,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
|
||||
|
||||
/* Check if there is enough headroom to insert fragment header. */
|
||||
tnl_hlen = skb_tnl_header_len(skb);
|
||||
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
|
||||
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
|
||||
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -742,6 +742,9 @@ Patch25140: drm-qxl-backport-fixes-for-Fedora.patch
|
|||
|
||||
Patch25141: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
|
||||
|
||||
#CVE-2013-4563 rhbz 1030015 1030017
|
||||
Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1452,6 +1455,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
|
|||
|
||||
ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
|
||||
|
||||
#CVE-2013-4563 rhbz 1030015 1030017
|
||||
ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2255,6 +2261,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Nov 14 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
|
||||
|
||||
* Sat Nov 09 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-2
|
||||
- Add patch from Daniel Stone to avoid high order allocations in evdev
|
||||
- Add qxl backport fixes from Dave Airlie
|
||||
|
|
Loading…
Reference in New Issue