[Lucid, Maverick, M/ti-omap4, N/ti-omap4] CVE-2011-4326

Stefan Bader stefan.bader at canonical.com
Thu Nov 24 17:26:58 UTC 2011

A bug was found in the way headroom check was performed in
udp6_ufo_fragment() function. A remote attacker could use this flaw to
crash the system.

Natty to Precise got the fix pending at least. Anything before 2.6.32
is not affected. For the rest it is a clean cherry-pick all the way
to Lucid.

Somehow I am not sure anymore which topic branches are rebased and which
are not. Hopefully the magic status will tell as soon as the master
branches are updated and pushed...


>From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
From: Shan Wei <shanwei at cn.fujitsu.com>
Date: Tue, 19 Apr 2011 22:52:49 +0000
Subject: [PATCH] ipv6: udp: fix the wrong headroom check

At this point, skb->data points to skb_transport_header.
So, headroom check is wrong.

For some case:bridge(UFO is on) + eth device(UFO is off),
there is no enough headroom for IPv6 frag head.
But headroom check is always false.

This will bring about data be moved to there prior to skb->head,
when adding IPv6 frag header to skb.

Signed-off-by: Shan Wei <shanwei at cn.fujitsu.com>
Acked-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: David S. Miller <davem at davemloft.net>

BugLink: http://bugs.launchpad.net/bugs/894373
(cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
 net/ipv6/udp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 15c3774..9e305d74 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
 	skb->ip_summed = CHECKSUM_NONE;
 	/* Check if there is enough headroom to insert fragment header. */
-	if ((skb_headroom(skb) < frag_hdr_sz) &&
+	if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
 	    pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
 		goto out;

More information about the kernel-team mailing list