bridge fix for CVE-2006-5751 (2.6.18.4)

diff --git a/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch b/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch
new file mode 100644 (file)
index 0000000..0b5c2e8
--- /dev/null
+++ b/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch
@@ -0,0 +1,36 @@
+From ba8379b220509e9448c00a77cf6c15ac2a559cc7 Mon Sep 17 00:00:00 2001
+Message-ID: <20061120230249.GB1397@sequoia.sous-sol.org>
+From: Chris Wright <chrisw@sous-sol.org>
+Date: Mon, 20 Nov 2006 15:02:49 -0800
+Subject: bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)
+
+Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Acked-by: Eugene Teo <eteo@redhat.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+ net/bridge/br_ioctl.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- linux-2.6.18.3.orig/net/bridge/br_ioctl.c
++++ linux-2.6.18.3/net/bridge/br_ioctl.c
+@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_br
+ {
+       int num;
+       void *buf;
+-      size_t size = maxnum * sizeof(struct __fdb_entry);
++      size_t size;
+ 
+-      if (size > PAGE_SIZE) {
+-              size = PAGE_SIZE;
++      /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
++      if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
+               maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
+-      }
++
++      size = maxnum * sizeof(struct __fdb_entry);
+ 
+       buf = kmalloc(size, GFP_USER);
+       if (!buf)

diff --git a/releases/2.6.18.4/series b/releases/2.6.18.4/series
new file mode 100644 (file)
index 0000000..21988c4
--- /dev/null
+++ b/releases/2.6.18.4/series
@@ -0,0 +1 @@
+bridge-fix-possible-overflow-in-get_fdb_entries.patch