From 94f591ad20617d06c5ac21e3417235bf151ed17a Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@sous-sol.org>
Date: Wed, 11 Jan 2006 10:49:44 -0800
Subject: [PATCH] Add netlink DoS fix (CVE-2006-0035)

---
 queue/fix-DoS-in-netlink_rcv_skb.patch | 26 ++++++++++++++++++++++++++
 queue/series                           |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 queue/fix-DoS-in-netlink_rcv_skb.patch

diff --git a/queue/fix-DoS-in-netlink_rcv_skb.patch b/queue/fix-DoS-in-netlink_rcv_skb.patch
new file mode 100644
index 00000000000..bfe416c718e
--- /dev/null
+++ b/queue/fix-DoS-in-netlink_rcv_skb.patch
@@ -0,0 +1,26 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Martin Murray <murrayma@citi.umich.edu>
+Date: Tue, 10 Jan 2006 21:02:29 +0000 (-0800)
+Subject: [AF_NETLINK]: Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
+
+Sanity check nlmsg_len during netlink_rcv_skb.  An nlmsg_len == 0 can
+cause infinite loop in kernel, effectively DoSing machine.  Noted by
+Matin Murray.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/netlink/af_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.y.orig/net/netlink/af_netlink.c
++++ linux-2.6.15.y/net/netlink/af_netlink.c
+@@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buf
+ 	while (skb->len >= nlmsg_total_size(0)) {
+ 		nlh = (struct nlmsghdr *) skb->data;
+ 
+-		if (skb->len < nlh->nlmsg_len)
++		if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
+ 			return 0;
+ 
+ 		total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);
diff --git a/queue/series b/queue/series
index 0f9f415d765..a1cc40c4ff8 100644
--- a/queue/series
+++ b/queue/series
@@ -11,3 +11,4 @@ netfilter-fix-another-crash-in-ip_nat_pptp.patch
 fix-bridge-netfilter-matching-ip-fragments.patch
 sparc64-fix-ptrace.patch
 sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch
+fix-DoS-in-netlink_rcv_skb.patch
-- 
2.47.3