packages: kernel/kernel-CVE-2011-1927.patch (NEW) - patch resolving CVE-201...

Thu May 19 22:21:33 CEST 2011

Author: marti                        Date: Thu May 19 20:21:33 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- patch resolving CVE-2011-1927

---- Files affected:
packages/kernel:
   kernel-CVE-2011-1927.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/kernel/kernel-CVE-2011-1927.patch
diff -u /dev/null packages/kernel/kernel-CVE-2011-1927.patch:1.1

--- /dev/null	Thu May 19 22:21:33 2011
+++ packages/kernel/kernel-CVE-2011-1927.patch	Thu May 19 22:21:28 2011
@@ -0,0 +1,52 @@
+diff -ur linux-2.6.38-orig/net/ipv4/ip_fragment.c linux-2.6.38/net/ipv4/ip_fragment.c
+--- linux-2.6.38-orig/net/ipv4/ip_fragment.c	2011-03-15 02:20:32.000000000 +0100
++++ linux-2.6.38/net/ipv4/ip_fragment.c	2011-05-19 22:17:57.229544248 +0200
+@@ -223,32 +223,31 @@
+ 
+ 	if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
+ 		struct sk_buff *head = qp->q.fragments;
++		const struct iphdr *iph;
++		int err;
+ 
+ 		rcu_read_lock();
+ 		head->dev = dev_get_by_index_rcu(net, qp->iif);
+ 		if (!head->dev)
+ 			goto out_rcu_unlock;
++		
++		/* skb dst is stale, drop it, and perform route lookup again */
++		skb_dst_drop(head);
++		iph = ip_hdr(head);
++		err = ip_route_input_noref(head, iph->daddr, iph->saddr,
++									iph->tos, head->dev);
++		if (err)
++				goto out_rcu_unlock;
+ 
+ 		/*
+-		 * Only search router table for the head fragment,
+-		 * when defraging timeout at PRE_ROUTING HOOK.
++		 * Only an end host needs to send an ICMP
++		 * "Fragment Reassembly Timeout" message, per RFC792.
+ 		 */
+-		if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+-			const struct iphdr *iph = ip_hdr(head);
+-			int err = ip_route_input(head, iph->daddr, iph->saddr,
+-						 iph->tos, head->dev);
+-			if (unlikely(err))
+-				goto out_rcu_unlock;
+-
+-			/*
+-			 * Only an end host needs to send an ICMP
+-			 * "Fragment Reassembly Timeout" message, per RFC792.
+-			 */
+-			if (skb_rtable(head)->rt_type != RTN_LOCAL)
++		
++		if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
++			skb_rtable(head)->rt_type != RTN_LOCAL)
+ 				goto out_rcu_unlock;
+ 
+-		}
+-
+ 		/* Send an ICMP "Fragment Reassembly Timeout" message. */
+ 		icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+ out_rcu_unlock:
+Tylko w linux-2.6.38/net/ipv4: ip_fragment.c~
================================================================
