From: Chris Wright <chrisw@sous-sol.org>
Date: Wed, 22 Mar 2006 23:33:07 +0000 (-0800)
Subject: Add ipid fix (CVE-2006-1242), fwd from DaveM
X-Git-Tag: v2.6.16.1~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d4b764dd91566483be6db1b22dd055e1dc6430e9;p=thirdparty%2Fkernel%2Fstable-queue.git

Add ipid fix (CVE-2006-1242), fwd from DaveM
---

diff --git a/queue-2.6.16/series b/queue-2.6.16/series
index 0f1b434518a..899daeef1c5 100644
--- a/queue-2.6.16/series
+++ b/queue-2.6.16/series
@@ -2,3 +2,4 @@ sata_mv-fix-irq-port-status-usage.patch
 v4l-dvb-fix-samsung-tuner-frequency-ranges.patch
 kconfig-video_decoder-must-select-fw_loader.patch
 2.6.xx-sata_mv-another-critical-fix.patch
+tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
diff --git a/queue-2.6.16/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch b/queue-2.6.16/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
new file mode 100644
index 00000000000..5bdbfae1c62
--- /dev/null
+++ b/queue-2.6.16/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
@@ -0,0 +1,51 @@
+From stable-bounces@linux.kernel.org  Wed Mar 22 14:36:39 2006
+Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc: 
+Subject: [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+        if (!df) {
+                __ip_select_ident(iph, &rt->u.dst, 0);
+        } else {
+                iph->id = htons(inet->id++);
+        }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/ip_output.c |    6 +-----
+ 1 files changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.16.orig/net/ipv4/ip_output.c
++++ linux-2.6.16/net/ipv4/ip_output.c
+@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *
+ 	iph->tos = inet->tos;
+ 	iph->tot_len = htons(skb->len);
+ 	iph->frag_off = df;
+-	if (!df) {
+-		__ip_select_ident(iph, &rt->u.dst, 0);
+-	} else {
+-		iph->id = htons(inet->id++);
+-	}
++	ip_select_ident(iph, &rt->u.dst, sk);
+ 	iph->ttl = ttl;
+ 	iph->protocol = sk->sk_protocol;
+ 	iph->saddr = rt->rt_src;
diff --git a/queue/series b/queue/series
index a665635570c..bad1e52fe9b 100644
--- a/queue/series
+++ b/queue/series
@@ -3,3 +3,4 @@ netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch
 compat-ifconf-fix-limits.patch
 cramfs-mounts-provide-corrupted-content-since-2.6.15.patch
 kconfig-video_decoder-must-select-fw_loader.patch
+tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
diff --git a/queue/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch b/queue/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
new file mode 100644
index 00000000000..7ed36904135
--- /dev/null
+++ b/queue/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
@@ -0,0 +1,51 @@
+From stable-bounces@linux.kernel.org  Wed Mar 22 14:36:39 2006
+Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc: 
+Subject: [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+        if (!df) {
+                __ip_select_ident(iph, &rt->u.dst, 0);
+        } else {
+                iph->id = htons(inet->id++);
+        }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/ip_output.c |    6 +-----
+ 1 files changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/ip_output.c
++++ linux-2.6.15.6/net/ipv4/ip_output.c
+@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock *
+ 	iph->tos = inet->tos;
+ 	iph->tot_len = htons(skb->len);
+ 	iph->frag_off = df;
+-	if (!df) {
+-		__ip_select_ident(iph, &rt->u.dst, 0);
+-	} else {
+-		iph->id = htons(inet->id++);
+-	}
++	ip_select_ident(iph, &rt->u.dst, sk);
+ 	iph->ttl = ttl;
+ 	iph->protocol = sk->sk_protocol;
+ 	iph->saddr = rt->rt_src;