From: Chris Wright Date: Wed, 29 Nov 2006 18:52:59 +0000 (-0800) Subject: bridge fix for CVE-2006-5751 (2.6.18.4) X-Git-Tag: v2.6.18.4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3797d5180731fd6435f97d335bc966b9d8e774d1;p=thirdparty%2Fkernel%2Fstable-queue.git bridge fix for CVE-2006-5751 (2.6.18.4) --- diff --git a/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch b/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch new file mode 100644 index 00000000000..0b5c2e857c2 --- /dev/null +++ b/releases/2.6.18.4/bridge-fix-possible-overflow-in-get_fdb_entries.patch @@ -0,0 +1,36 @@ +From ba8379b220509e9448c00a77cf6c15ac2a559cc7 Mon Sep 17 00:00:00 2001 +Message-ID: <20061120230249.GB1397@sequoia.sous-sol.org> +From: Chris Wright +Date: Mon, 20 Nov 2006 15:02:49 -0800 +Subject: bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751) + +Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). + +Signed-off-by: Chris Wright +Acked-by: Eugene Teo +Acked-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +--- + net/bridge/br_ioctl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- linux-2.6.18.3.orig/net/bridge/br_ioctl.c ++++ linux-2.6.18.3/net/bridge/br_ioctl.c +@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_br + { + int num; + void *buf; +- size_t size = maxnum * sizeof(struct __fdb_entry); ++ size_t size; + +- if (size > PAGE_SIZE) { +- size = PAGE_SIZE; ++ /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */ ++ if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry)) + maxnum = PAGE_SIZE/sizeof(struct __fdb_entry); +- } ++ ++ size = maxnum * sizeof(struct __fdb_entry); + + buf = kmalloc(size, GFP_USER); + if (!buf) diff --git a/releases/2.6.18.4/series b/releases/2.6.18.4/series new file mode 100644 index 00000000000..21988c47c7b --- /dev/null +++ b/releases/2.6.18.4/series @@ -0,0 +1 @@ +bridge-fix-possible-overflow-in-get_fdb_entries.patch