/[linux-patches]/genpatches-2.6/trunk/2.6.14/1492_16.1_block-inetid-during-rst.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1492_16.1_block-inetid-during-rst.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 381 - (hide annotations) (download) (as text)
Thu Apr 13 15:29:29 2006 UTC (14 years, 7 months ago) by johnm
File MIME type: text/x-diff
File size: 1629 byte(s)
Applying appropriate CVE fixes
1 johnm 381 From stable-bounces@linux.kernel.org Wed Mar 22 14:36:39 2006
2     Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
3     From: "David S. Miller" <davem@davemloft.net>
4     To: stable@kernel.org
5     Cc:
6     Subject: [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
7    
8     From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
9    
10    
11     The problem is in ip_push_pending_frames(), which uses:
12    
13     if (!df) {
14     __ip_select_ident(iph, &rt->u.dst, 0);
15     } else {
16     iph->id = htons(inet->id++);
17     }
18    
19     instead of ip_select_ident().
20    
21     Right now I think the code is a nonsense. Most likely, I copied it from
22     old ip_build_xmit(), where it was really special, we had to decide
23     whether to generate unique ID when generating the first (well, the last)
24     fragment.
25    
26     In ip_push_pending_frames() it does not make sense, it should use plain
27     ip_select_ident() instead.
28    
29     Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
30     Signed-off-by: David S. Miller <davem@davemloft.net>
31     Signed-off-by: Chris Wright <chrisw@sous-sol.org>
32     Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
33     ---
34    
35     net/ipv4/ip_output.c | 6 +-----
36     1 file changed, 1 insertion(+), 5 deletions(-)
37    
38     --- linux-2.6.16.orig/net/ipv4/ip_output.c
39     +++ linux-2.6.16/net/ipv4/ip_output.c
40     @@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *
41     iph->tos = inet->tos;
42     iph->tot_len = htons(skb->len);
43     iph->frag_off = df;
44     - if (!df) {
45     - __ip_select_ident(iph, &rt->u.dst, 0);
46     - } else {
47     - iph->id = htons(inet->id++);
48     - }
49     + ip_select_ident(iph, &rt->u.dst, sk);
50     iph->ttl = ttl;
51     iph->protocol = sk->sk_protocol;
52     iph->saddr = rt->rt_src;

  ViewVC Help
Powered by ViewVC 1.1.20