3.4-stable patches

added patches:
	netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch

diff --git a/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch b/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch
new file mode 100644 (file)
index 0000000..5f22480
--- /dev/null
+++ b/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch
@@ -0,0 +1,62 @@
+From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 6 Jan 2014 00:57:54 +0100
+Subject: netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+commit b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 upstream.
+
+Some occurences in the netfilter tree use skb_header_pointer() in
+the following way ...
+
+  struct dccp_hdr _dh, *dh;
+  ...
+  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+
+... where dh itself is a pointer that is being passed as the copy
+buffer. Instead, we need to use &_dh as the forth argument so that
+we're copying the data into an actual buffer that sits on the stack.
+
+Currently, we probably could overwrite memory on the stack (e.g.
+with a possibly mal-formed DCCP packet), but unintentionally, as
+we only want the buffer to be placed into _dh variable.
+
+Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_dccp.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct,
+       const char *msg;
+       u_int8_t state;
+ 
+-      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+       BUG_ON(dh == NULL);
+ 
+       state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
+@@ -488,7 +488,7 @@ static int dccp_packet(struct nf_conn *c
+       u_int8_t type, old_state, new_state;
+       enum ct_dccp_roles role;
+ 
+-      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+       BUG_ON(dh == NULL);
+       type = dh->dccph_type;
+ 
+@@ -579,7 +579,7 @@ static int dccp_error(struct net *net, s
+       unsigned int cscov;
+       const char *msg;
+ 
+-      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++      dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+       if (dh == NULL) {
+               msg = "nf_ct_dccp: short packet ";
+               goto out_invalid;

diff --git a/queue-3.4/series b/queue-3.4/series
index c2bcea6273f26aeaf45a021731a70cd52dc655ed..0d5e19ad563dacd0e97e7606e302aec8e224745f 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -3,3 +3,4 @@ ext4-atomically-set-inode-i_flags-in-ext4_set_inode_flags.patch
 input-synaptics-add-manual-min-max-quirk.patch
 input-synaptics-add-manual-min-max-quirk-for-thinkpad-x240.patch
 x86-fix-boot-on-uniprocessor-systems.patch
+netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch