From: Chris Wright <chrisw@osdl.org>
Date: Fri, 9 Sep 2005 06:31:43 +0000 (-0700)
Subject: Add raw sendmsg DoS patch (CAN-2005-2492)
X-Git-Tag: v2.6.13.1~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f9805e755707a7b5ee4ced05db4ce77deea7c15;p=thirdparty%2Fkernel%2Fstable-queue.git

Add raw sendmsg DoS patch (CAN-2005-2492)
---

diff --git a/review/sendmsg-DoS.patch b/review/sendmsg-DoS.patch
new file mode 100644
index 00000000000..b25329ab9f9
--- /dev/null
+++ b/review/sendmsg-DoS.patch
@@ -0,0 +1,48 @@
+From security-bounces@linux.kernel.org  Wed Aug 31 02:55:24 2005
+Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
+From: Mark J Cox <mjc@redhat.com>
+Cc: aviro@redhat.com, davem@redhat.com
+Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)
+
+From: Al Viro <aviro@redhat.com>
+
+Fix unchecked __get_user that could be tricked into generating a
+memory read on an arbitrary address.  The result of the read is not
+returned directly but you may be able to divine some information about
+it, or use the read to cause a crash on some architectures by reading
+hardware state.  CAN-2004-2492.
+
+Fix from Al Viro, ack from Dave Miller.
+
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ net/ipv4/raw.c |    2 +-
+ net/ipv6/raw.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/net/ipv4/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/raw.c
++++ linux-2.6.13.y/net/ipv4/raw.c
+@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
+ 
+ 			if (type && code) {
+ 				get_user(fl->fl_icmp_type, type);
+-				__get_user(fl->fl_icmp_code, code);
++			        get_user(fl->fl_icmp_code, code);
+ 				probed = 1;
+ 			}
+ 			break;
+Index: linux-2.6.13.y/net/ipv6/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv6/raw.c
++++ linux-2.6.13.y/net/ipv6/raw.c
+@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
+ 
+ 			if (type && code) {
+ 				get_user(fl->fl_icmp_type, type);
+-				__get_user(fl->fl_icmp_code, code);
++				get_user(fl->fl_icmp_code, code);
+ 				probed = 1;
+ 			}
+ 			break;
diff --git a/review/series b/review/series
index ab688d857b5..5e50289ceba 100644
--- a/review/series
+++ b/review/series
@@ -7,3 +7,4 @@ ipsec-oops-fix.patch
 sparc-request_irq-in-RTC-fix.patch
 ipv4-fragmentation-csum-handling.patch
 sendmsg-stackoverflow.patch
+sendmsg-DoS.patch