Linux v4.12.6
This commit is contained in:
parent
646847ae2a
commit
0552df9464
|
@ -1,54 +0,0 @@
|
|||
From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
|
||||
From: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Date: Wed, 19 Jul 2017 22:28:55 +0200
|
||||
Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
|
||||
|
||||
In some cases, offset can overflow and can cause an infinite loop in
|
||||
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
|
||||
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
|
||||
|
||||
This problem has been here since before the beginning of git history.
|
||||
|
||||
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/output_core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
|
||||
index e9065b8..abb2c30 100644
|
||||
--- a/net/ipv6/output_core.c
|
||||
+++ b/net/ipv6/output_core.c
|
||||
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
|
||||
|
||||
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
{
|
||||
- u16 offset = sizeof(struct ipv6hdr);
|
||||
+ unsigned int offset = sizeof(struct ipv6hdr);
|
||||
unsigned int packet_len = skb_tail_pointer(skb) -
|
||||
skb_network_header(skb);
|
||||
int found_rhdr = 0;
|
||||
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
while (offset <= packet_len) {
|
||||
struct ipv6_opt_hdr *exthdr;
|
||||
+ unsigned int len;
|
||||
|
||||
switch (**nexthdr) {
|
||||
|
||||
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
|
||||
offset);
|
||||
- offset += ipv6_optlen(exthdr);
|
||||
+ len = ipv6_optlen(exthdr);
|
||||
+ if (len + offset >= IPV6_MAXPLEN)
|
||||
+ return -EINVAL;
|
||||
+ offset += len;
|
||||
*nexthdr = &exthdr->nexthdr;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.4
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 5
|
||||
%define stable_update 6
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -665,9 +665,6 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch
|
|||
# Small workaround patches for issues with a more comprehensive fix in -next
|
||||
Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch
|
||||
|
||||
# CVE-2017-7542 rhbz 1473649 1473650
|
||||
Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||
|
||||
# rhbz 1431375
|
||||
Patch703: HID-rmi-Make-sure-the-HID-device-is-opened-on-resume.patch
|
||||
Patch704: input-rmi4-remove-the-need-for-artifical-IRQ.patch
|
||||
|
@ -2254,6 +2251,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Aug 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.6-200
|
||||
- Linux v4.12.6
|
||||
|
||||
* Mon Aug 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.5-200
|
||||
- Linux v4.12.5 rebase
|
||||
- Fixes CVE-2017-7533 (rhbz 1468283 1478086)
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c
|
||||
SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728
|
||||
SHA512 (patch-4.12.5.xz) = b9e74f148a0bd76df8c52e6384933b9eddd8477c713b14389a34655538abab70ffa70e99b504a60d0adf1937c771d9bb3879511e6c3666c345d490848eb4f113
|
||||
SHA512 (patch-4.12.6.xz) = 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836
|
||||
|
|
Loading…
Reference in New Issue