From 5f9805e755707a7b5ee4ced05db4ce77deea7c15 Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@osdl.org>
Date: Thu, 8 Sep 2005 23:31:43 -0700
Subject: [PATCH] Add raw sendmsg DoS patch (CAN-2005-2492)

---
 review/sendmsg-DoS.patch | 48 ++++++++++++++++++++++++++++++++++++++++
 review/series            |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 review/sendmsg-DoS.patch

diff --git a/review/sendmsg-DoS.patch b/review/sendmsg-DoS.patch
new file mode 100644
index 00000000000..b25329ab9f9
--- /dev/null
+++ b/review/sendmsg-DoS.patch
@@ -0,0 +1,48 @@
+From security-bounces@linux.kernel.org  Wed Aug 31 02:55:24 2005
+Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
+From: Mark J Cox <mjc@redhat.com>
+Cc: aviro@redhat.com, davem@redhat.com
+Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)
+
+From: Al Viro <aviro@redhat.com>
+
+Fix unchecked __get_user that could be tricked into generating a
+memory read on an arbitrary address.  The result of the read is not
+returned directly but you may be able to divine some information about
+it, or use the read to cause a crash on some architectures by reading
+hardware state.  CAN-2004-2492.
+
+Fix from Al Viro, ack from Dave Miller.
+
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ net/ipv4/raw.c |    2 +-
+ net/ipv6/raw.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/net/ipv4/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/raw.c
++++ linux-2.6.13.y/net/ipv4/raw.c
+@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
+ 
+ 			if (type && code) {
+ 				get_user(fl->fl_icmp_type, type);
+-				__get_user(fl->fl_icmp_code, code);
++			        get_user(fl->fl_icmp_code, code);
+ 				probed = 1;
+ 			}
+ 			break;
+Index: linux-2.6.13.y/net/ipv6/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv6/raw.c
++++ linux-2.6.13.y/net/ipv6/raw.c
+@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
+ 
+ 			if (type && code) {
+ 				get_user(fl->fl_icmp_type, type);
+-				__get_user(fl->fl_icmp_code, code);
++				get_user(fl->fl_icmp_code, code);
+ 				probed = 1;
+ 			}
+ 			break;
diff --git a/review/series b/review/series
index ab688d857b5..5e50289ceba 100644
--- a/review/series
+++ b/review/series
@@ -7,3 +7,4 @@ ipsec-oops-fix.patch
 sparc-request_irq-in-RTC-fix.patch
 ipv4-fragmentation-csum-handling.patch
 sendmsg-stackoverflow.patch
+sendmsg-DoS.patch
-- 
2.47.3