[PATCH 0/1] [HARDY] [CVE-2012-2744] netfilter: nf_conntrack_reasm: properly handle packets fragmented into a single fragment
Brad Figg
brad.figg at canonical.com
Wed Jul 11 20:38:41 UTC 2012
CVE-2012-2744
BugLink: http://bugs.launchpad.net/bugs/1234567
When an ICMPV6_PKT_TOOBIG message is received with a MTU below 1280,
all further packets include a fragment header.
Unlike regular defragmentation, conntrack also needs to "reassemble"
those fragments in order to obtain a packet without the fragment
header for connection tracking. Currently nf_conntrack_reasm checks
whether a fragment has either IP6_MF set or an offset != 0, which
makes it ignore those fragments.
Remove the invalid check and make reassembly handle fragment queues
containing only a single fragment.
Patrick McHardy (1):
netfilter: nf_conntrack_reasm: properly handle packets fragmented
into a single fragment
.../src/net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +-------
.../src/net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +-------
net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +-------
3 files changed, 3 insertions(+), 21 deletions(-)
--
1.7.9.5
More information about the kernel-team
mailing list