From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Jul 2020 14:11:20 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.230~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c8f0d957327bef0983b60128a8e5903784be46b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	netfilter-nf_conntrack_h323-lost-.data_len-definition-for-q.931-ipv6.patch
---

diff --git a/queue-4.4/netfilter-nf_conntrack_h323-lost-.data_len-definition-for-q.931-ipv6.patch b/queue-4.4/netfilter-nf_conntrack_h323-lost-.data_len-definition-for-q.931-ipv6.patch
new file mode 100644
index 00000000000..644fc3753b7
--- /dev/null
+++ b/queue-4.4/netfilter-nf_conntrack_h323-lost-.data_len-definition-for-q.931-ipv6.patch
@@ -0,0 +1,42 @@
+From MAILER-DAEMON Tue Jul  7 14:02:16 2020
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 09 Jun 2020 10:53:22 +0300
+Subject: netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6
+To: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
+Cc: Florian Westphal <fw@strlen.de>
+Message-ID: <c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com>
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+Could you please push this patch into stable@?
+it fixes memory corruption in kernels  v3.5 .. v4.10
+
+Lost .data_len definition leads to write beyond end of
+struct nf_ct_h323_master. Usually it corrupts following
+struct nf_conn_nat, however if nat is not loaded it corrupts
+following slab object.
+
+In mainline this problem went away in v4.11,
+after commit 9f0f3ebeda47 ("netfilter: helpers: remove data_len usage
+for inkernel helpers") however many stable kernels are still affected.
+
+Fixes: 1afc56794e03 ("netfilter: nf_ct_helper: implement variable length helper private data") # v3.5
+cc: stable@vger.kernel.org
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_h323_main.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_conntrack_h323_main.c
++++ b/net/netfilter/nf_conntrack_h323_main.c
+@@ -1225,6 +1225,7 @@ static struct nf_conntrack_helper nf_con
+ 	{
+ 		.name			= "Q.931",
+ 		.me			= THIS_MODULE,
++		.data_len		= sizeof(struct nf_ct_h323_master),
+ 		.tuple.src.l3num	= AF_INET6,
+ 		.tuple.src.u.tcp.port	= cpu_to_be16(Q931_PORT),
+ 		.tuple.dst.protonum	= IPPROTO_TCP,
diff --git a/queue-4.4/series b/queue-4.4/series
index d89added8b1..afbc96c6d50 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -16,3 +16,4 @@ smb3-honor-seal-flag-for-multiuser-mounts.patch
 smb3-honor-persistent-resilient-handle-flags-for-multiuser-mounts.patch
 cifs-fix-the-target-file-was-deleted-when-rename-failed.patch
 mips-add-missing-ehb-in-mtc0-mfc0-sequence-for-dspen.patch
+netfilter-nf_conntrack_h323-lost-.data_len-definition-for-q.931-ipv6.patch