From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Jul 2013 18:59:43 +0000 (-0700)
Subject: 3.9-stable patches
X-Git-Tag: v3.9.9~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6e2a850fec820d3174d602d4c6c3b5ed6fbc7a0a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.9-stable patches

added patches:
	netfilter-nf_conntrack_ipv6-plug-sk_buff-leak-in-fragment-handling.patch
---

diff --git a/queue-3.9/netfilter-nf_conntrack_ipv6-plug-sk_buff-leak-in-fragment-handling.patch b/queue-3.9/netfilter-nf_conntrack_ipv6-plug-sk_buff-leak-in-fragment-handling.patch
new file mode 100644
index 00000000000..7bef11c47a6
--- /dev/null
+++ b/queue-3.9/netfilter-nf_conntrack_ipv6-plug-sk_buff-leak-in-fragment-handling.patch
@@ -0,0 +1,40 @@
+From 142dcdd3c25fc7a3866bb06980e8f93a2ed7e050 Mon Sep 17 00:00:00 2001
+From: Phil Oester <kernel@linuxace.com>
+Date: Wed, 19 Jun 2013 06:49:51 -0400
+Subject: netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
+
+From: Phil Oester <kernel@linuxace.com>
+
+commit 142dcdd3c25fc7a3866bb06980e8f93a2ed7e050 upstream.
+
+In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation
+handling"), an sk_buff leak was introduced when dealing with reassembled
+packets by grabbing a reference to the original skb instead of the
+reassembled skb.  At this point, the leak only impacted conntracks with an
+associated helper.
+
+In commit 58a317f1 ("netfilter: ipv6: add IPv6 NAT support"), the bug was
+expanded to include all reassembled packets with unconfirmed conntracks.
+
+Fix this by grabbing a reference to the proper reassembled skb.  This
+closes netfilter bugzilla #823.
+
+Signed-off-by: Phil Oester <kernel@linuxace.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(
+ 		if (ct != NULL && !nf_ct_is_untracked(ct)) {
+ 			help = nfct_help(ct);
+ 			if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
+-				nf_conntrack_get_reasm(skb);
++				nf_conntrack_get_reasm(reasm);
+ 				NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
+ 					       (struct net_device *)in,
+ 					       (struct net_device *)out,
diff --git a/queue-3.9/series b/queue-3.9/series
index 988b1b0f7d6..12a059ae053 100644
--- a/queue-3.9/series
+++ b/queue-3.9/series
@@ -23,3 +23,4 @@ libata-acpi-add-back-acpi-based-hotplug-functionality.patch
 of-base-release-the-node-correctly-in-of_parse_phandle_with_args.patch
 can-usb_8dev-unregister-netdev-before-free-ing.patch
 mac80211-work-around-broken-aps-not-including-ht-info.patch
+netfilter-nf_conntrack_ipv6-plug-sk_buff-leak-in-fragment-handling.patch