From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 31 Mar 2014 23:59:46 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.86~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca30d211bd5e9dca57d89939c6922e4c3ca1df00;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch
---

diff --git a/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch b/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch
new file mode 100644
index 00000000000..5f22480347c
--- /dev/null
+++ b/queue-3.4/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch
@@ -0,0 +1,62 @@
+From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 6 Jan 2014 00:57:54 +0100
+Subject: netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+commit b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 upstream.
+
+Some occurences in the netfilter tree use skb_header_pointer() in
+the following way ...
+
+  struct dccp_hdr _dh, *dh;
+  ...
+  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+
+... where dh itself is a pointer that is being passed as the copy
+buffer. Instead, we need to use &_dh as the forth argument so that
+we're copying the data into an actual buffer that sits on the stack.
+
+Currently, we probably could overwrite memory on the stack (e.g.
+with a possibly mal-formed DCCP packet), but unintentionally, as
+we only want the buffer to be placed into _dh variable.
+
+Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_dccp.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct,
+ 	const char *msg;
+ 	u_int8_t state;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	BUG_ON(dh == NULL);
+ 
+ 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
+@@ -488,7 +488,7 @@ static int dccp_packet(struct nf_conn *c
+ 	u_int8_t type, old_state, new_state;
+ 	enum ct_dccp_roles role;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	BUG_ON(dh == NULL);
+ 	type = dh->dccph_type;
+ 
+@@ -579,7 +579,7 @@ static int dccp_error(struct net *net, s
+ 	unsigned int cscov;
+ 	const char *msg;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
++	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	if (dh == NULL) {
+ 		msg = "nf_ct_dccp: short packet ";
+ 		goto out_invalid;
diff --git a/queue-3.4/series b/queue-3.4/series
index c2bcea6273f..0d5e19ad563 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -3,3 +3,4 @@ ext4-atomically-set-inode-i_flags-in-ext4_set_inode_flags.patch
 input-synaptics-add-manual-min-max-quirk.patch
 input-synaptics-add-manual-min-max-quirk-for-thinkpad-x240.patch
 x86-fix-boot-on-uniprocessor-systems.patch
+netfilter-nf_conntrack_dccp-fix-skb_header_pointer-api-usages.patch