CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
This commit is contained in:
Josh Boyer
parent
54e7683bf8
commit
67ce21f875
|
|
@ -0,0 +1,43 @@
|
|||
Bugzilla: 1030015 1030017
|
||||
Upstream-status: 3.13
|
||||
|
||||
From aeb45260747b0a1bf4d374d5e65298cc254cb4f5 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Tue, 5 Nov 2013 02:41:27 +0100
|
||||
Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
|
||||
|
||||
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
|
||||
fragmentation for tunnel traffic.") changed the calculation if
|
||||
there is enough space to include a fragment header in the skb from a
|
||||
skb->mac_header dervived one to skb_headroom. Because we already peeled
|
||||
off the skb to transport_header this is wrong. Change this back to check
|
||||
if we have enough room before the mac_header.
|
||||
|
||||
This fixes a panic Saran Neti reported. He used the tbf scheduler which
|
||||
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
|
||||
because the skb was erroneously not expanded at the head.
|
||||
|
||||
Reported-by: Saran Neti <Saran.Neti@telus.com>
|
||||
Cc: Pravin B Shelar <pshelar@nicira.com>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/udp_offload.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
|
||||
index 5d1b8d7..657914b 100644
|
||||
--- a/net/ipv6/udp_offload.c
|
||||
+++ b/net/ipv6/udp_offload.c
|
||||
@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
|
||||
|
||||
/* Check if there is enough headroom to insert fragment header. */
|
||||
tnl_hlen = skb_tnl_header_len(skb);
|
||||
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
|
||||
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
|
||||
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
@ -789,6 +789,9 @@ Patch25143: drm-qxl-backport-fixes-for-Fedora.patch
|
|||
|
||||
Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
|
||||
|
||||
#CVE-2013-4563 rhbz 1030015 1030017
|
||||
Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1526,6 +1529,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
|
|||
|
||||
ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
|
||||
|
||||
#CVE-2013-4563 rhbz 1030015 1030017
|
||||
ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2338,6 +2344,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Nov 14 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
|
||||
|
||||
* Wed Nov 13 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.8-200
|
||||
- Linux v3.11.8
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue