[3.13.y-ckt stable] Patch "netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Apr 10 17:05:08 UTC 2015 

This is a note to let you know that I have just added a patch titled

    netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11-ckt19.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 26b8ce2f06cbe157526f19b328de57eb92e3c1c5 Mon Sep 17 00:00:00 2001
From: Andrey Vagin <avagin at openvz.org>
Date: Fri, 28 Mar 2014 13:54:32 +0400
Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len

commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.

"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
case it can contain all extensions. Bellow you can find sizes for all
types of extensions. Their sum is definitely bigger than 256.

nf_ct_ext_types[0]->len = 24
nf_ct_ext_types[1]->len = 32
nf_ct_ext_types[2]->len = 24
nf_ct_ext_types[3]->len = 32
nf_ct_ext_types[4]->len = 152
nf_ct_ext_types[5]->len = 2
nf_ct_ext_types[6]->len = 16
nf_ct_ext_types[7]->len = 8

I have seen "len" up to 280 and my host has crashes w/o this patch.

The right way to fix this problem is reducing the size of the ecache
extension (4) and Florian is going to do this, but these changes will
be quite large to be appropriate for a stable tree.

Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
Cc: Pablo Neira Ayuso <pablo at netfilter.org>
Cc: Patrick McHardy <kaber at trash.net>
Cc: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
Cc: "David S. Miller" <davem at davemloft.net>
Signed-off-by: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Reference: CVE-2014-9715
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 include/net/netfilter/nf_conntrack_extend.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 956b175..55d1504 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
 	struct rcu_head rcu;
-	u8 offset[NF_CT_EXT_NUM];
-	u8 len;
+	u16 offset[NF_CT_EXT_NUM];
+	u16 len;
 	char data[0];
 };

--
1.9.1

More information about the kernel-team mailing list