CVE-2014-9428 remote DoS via batman-adv (rhbz 1178826 1178833)

batman-adv-Calculate-extra-tail-size-based-on-queued.patch

@@ -0,0 +1,61 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Dec 2014 13:48:55 +0100
+Subject: [PATCH] batman-adv: Calculate extra tail size based on queued
+ fragments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605
+("batman-adv: Receive fragmented packets and merge"). The new code provided a
+mostly unused parameter skb for the merging function. It is used inside the
+function to calculate the additionally needed skb tailroom. But instead of
+increasing its own tailroom, it is only increasing the tailroom of the first
+queued skb. This is not correct in some situations because the first queued
+entry can be a different one than the parameter.
+
+An observed problem was:
+
+1. packet with size 104, total_size 1464, fragno 1 was received
+   - packet is queued
+2. packet with size 1400, total_size 1464, fragno 0 was received
+   - packet is queued at the end of the list
+3. enough data was received and can be given to the merge function
+   (1464 == (1400 - 20) + (104 - 20))
+   - merge functions gets 1400 byte large packet as skb argument
+4. merge function gets first entry in queue (104 byte)
+   - stored as skb_out
+5. merge function calculates the required extra tail as total_size - skb->len
+   - pskb_expand_head tail of skb_out with 64 bytes
+6. merge function tries to squeeze the extra 1380 bytes from the second queued
+   skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out
+
+Instead calculate the extra required tail bytes for skb_out also using skb_out
+instead of using the parameter skb. The skb parameter is only used to get the
+total_size from the last received packet. This is also the total_size used to
+decide that all fragments were received.
+
+Reported-by: Philipp Psurek <philipp.psurek@gmail.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Martin Hundebøll <martin@hundeboll.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/batman-adv/fragmentation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index fc1835c6bb40..8af3461d18d2 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
+ 	kfree(entry);
+ 
+ 	/* Make room for the rest of the fragments. */
+-	if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
++	if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
+ 		kfree_skb(skb_out);
+ 		skb_out = NULL;
+ 		goto free;
+-- 
+2.1.0
+

kernel.spec

@@ -676,6 +676,9 @@ Patch26120: userns-Unbreak-the-unprivileged-remount-tests.patch
 #rhbz 1163927
 Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
 
+#CVE-2014-9428 rhbz 1178826,1178833
+Patch26122: batman-adv-Calculate-extra-tail-size-based-on-queued.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1461,6 +1464,9 @@ ApplyPatch userns-Unbreak-the-unprivileged-remount-tests.patch
 #rhbz 1163927
 ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
 
+#CVE-2014-9428 rhbz 1178826,1178833
+ApplyPatch batman-adv-Calculate-extra-tail-size-based-on-queued.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2336,6 +2342,7 @@ fi
 #                                    ||     ||
 %changelog
 * Tue Jan 06 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-9428 remote DoS via batman-adv (rhbz 1178826 1178833)
 - Fix CIFS login issue (rhbz 1163927)
 
 * Mon Dec 29 2014 Josh Boyer <jwboyer@fedoraproject.org>