Add netlink DoS fix (CVE-2006-0035)

diff --git a/queue/fix-DoS-in-netlink_rcv_skb.patch b/queue/fix-DoS-in-netlink_rcv_skb.patch
new file mode 100644 (file)
index 0000000..bfe416c
--- /dev/null
+++ b/queue/fix-DoS-in-netlink_rcv_skb.patch
@@ -0,0 +1,26 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Martin Murray <murrayma@citi.umich.edu>
+Date: Tue, 10 Jan 2006 21:02:29 +0000 (-0800)
+Subject: [AF_NETLINK]: Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
+
+Sanity check nlmsg_len during netlink_rcv_skb.  An nlmsg_len == 0 can
+cause infinite loop in kernel, effectively DoSing machine.  Noted by
+Matin Murray.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/netlink/af_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.y.orig/net/netlink/af_netlink.c
++++ linux-2.6.15.y/net/netlink/af_netlink.c
+@@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buf
+       while (skb->len >= nlmsg_total_size(0)) {
+               nlh = (struct nlmsghdr *) skb->data;
+ 
+-              if (skb->len < nlh->nlmsg_len)
++              if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
+                       return 0;
+ 
+               total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);

diff --git a/queue/series b/queue/series
index 0f9f415d76546ae73b42c9a10ed889c707c35a75..a1cc40c4ff83e4e343e552ef734ad806d0c7f43c 100644 (file)
--- a/queue/series
+++ b/queue/series
@@ -11,3 +11,4 @@ netfilter-fix-another-crash-in-ip_nat_pptp.patch
 fix-bridge-netfilter-matching-ip-fragments.patch
 sparc64-fix-ptrace.patch
 sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch
+fix-DoS-in-netlink_rcv_skb.patch