Ack: Re: [Lucid, Maverick, M/ti-omap4, N/ti-omap4] CVE-2011-4326

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Thu Nov 24 17:46:26 UTC 2011


On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
> 
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
> 
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...
> 
> -Stefan
> 
> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <shanwei at cn.fujitsu.com>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
> 
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
> 
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
> 
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
> 
> Signed-off-by: Shan Wei <shanwei at cn.fujitsu.com>
> Acked-by: Herbert Xu <herbert at gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> 
> BugLink: http://bugs.launchpad.net/bugs/894373
> CVE-2011-4326
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  net/ipv6/udp.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
>  	skb->ip_summed = CHECKSUM_NONE;
>  
>  	/* Check if there is enough headroom to insert fragment header. */
> -	if ((skb_headroom(skb) < frag_hdr_sz) &&
> +	if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
>  	    pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
>  		goto out;
>  
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 




More information about the kernel-team mailing list