rpms/kernel/F-11 appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch, NONE, 1.1 kernel.spec, 1.1744, 1.1745
Chuck Ebbert
cebbert at fedoraproject.org
Sat Sep 26 18:10:16 UTC 2009
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2460
Modified Files:
kernel.spec
Added Files:
appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
Log Message:
Backport "appletalk: Fix skb leak when ipddp interface is not loaded"
(fixes CVE-2009-2903)
appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch:
drivers/net/appletalk/ipddp.c | 3 --
net/appletalk/aarp.c | 16 +++++++++-----
net/appletalk/ddp.c | 47 +++++++++++++++++++++---------------------
3 files changed, 36 insertions(+), 30 deletions(-)
--- NEW FILE appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch ---
From: Arnaldo Carvalho de Melo <acme at redhat.com>
Date: Fri, 11 Sep 2009 18:35:22 +0000 (-0700)
Subject: Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ffcfb8db540ff879c2a85bf7e404954281443414
Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
[ backport to 2.6.30 : Chuck Ebbert <cebbert at redhat.com ]
And also do a better job of returning proper NET_{RX,XMIT}_ values.
Based on a patch and suggestions by Mark Smith.
This fixes CVE-2009-2903
Reported-by: Mark Smith <lk-netdev at lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
diff --git a/drivers/net/appletalk/ipddp.c b/drivers/net/appletalk/ipddp.c
index bea87da..aaf14d3 100644
--- a/drivers/net/appletalk/ipddp.c
+++ b/drivers/net/appletalk/ipddp.c
@@ -170,8 +170,7 @@ static netdev_tx_t ipddp_xmit(struct sk_buff *skb, struct net_device *dev)
dev->stats.tx_packets++;
dev->stats.tx_bytes += skb->len;
- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
- dev_kfree_skb(skb);
+ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
return 0;
}
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
index 89f99d3..9d4adfd 100644
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb,
/* Non ELAP we cannot do. */
if (dev->type != ARPHRD_ETHER)
- return -1;
+ goto free_it;
skb->dev = dev;
skb->protocol = htons(ETH_P_ATALK);
@@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb,
if (!a) {
/* Whoops slipped... good job it's an unreliable protocol 8) */
write_unlock_bh(&aarp_lock);
- return -1;
+ goto free_it;
}
/* Set up the queue */
@@ -663,15 +663,21 @@ out_unlock:
write_unlock_bh(&aarp_lock);
/* Tell the ddp layer we have taken over for this frame. */
- return 0;
+ goto sent;
sendit:
if (skb->sk)
skb->priority = skb->sk->sk_priority;
- dev_queue_xmit(skb);
+ if (dev_queue_xmit(skb))
+ goto drop;
sent:
- return 1;
+ return NET_XMIT_SUCCESS;
+free_it:
+ kfree_skb(skb);
+drop:
+ return NET_XMIT_DROP;
}
+EXPORT_SYMBOL(aarp_send_ddp);
/*
* An entry in the aarp unresolved queue has become resolved. Send
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 0d42d5d..4a6ff2b 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1274,8 +1274,10 @@ static int handle_ip_over_ddp(struct sk_buff *skb)
struct net_device_stats *stats;
/* This needs to be able to handle ipddp"N" devices */
- if (!dev)
- return -ENODEV;
+ if (!dev) {
+ kfree_skb(skb);
+ return NET_RX_DROP;
+ }
skb->protocol = htons(ETH_P_IP);
skb_pull(skb, 13);
@@ -1285,8 +1287,7 @@ static int handle_ip_over_ddp(struct sk_buff *skb)
stats = netdev_priv(dev);
stats->rx_packets++;
stats->rx_bytes += skb->len + 13;
- netif_rx(skb); /* Send the SKB up to a higher place. */
- return 0;
+ return netif_rx(skb); /* Send the SKB up to a higher place. */
}
#else
/* make it easy for gcc to optimize this test out, i.e. kill the code */
@@ -1294,9 +1295,8 @@ static int handle_ip_over_ddp(struct sk_buff *skb)
#define handle_ip_over_ddp(skb) 0
#endif
-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
- struct ddpehdr *ddp, __u16 len_hops,
- int origlen)
+static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+ struct ddpehdr *ddp, __u16 len_hops, int origlen)
{
struct atalk_route *rt;
struct atalk_addr ta;
@@ -1363,8 +1363,6 @@ static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
/* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
kfree_skb(skb);
- if (!nskb)
- goto out;
skb = nskb;
} else
skb = skb_unshare(skb, GFP_ATOMIC);
@@ -1373,12 +1371,16 @@ static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
* If the buffer didn't vanish into the lack of space bitbucket we can
* send it.
*/
- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
- goto free_it;
-out:
- return;
+ if (skb == NULL)
+ goto drop;
+
+ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
+ return NET_RX_DROP;
+ return NET_XMIT_SUCCESS;
free_it:
kfree_skb(skb);
+drop:
+ return NET_RX_DROP;
}
/**
@@ -1452,8 +1454,7 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
/* Not ours, so we route the packet via the correct
* AppleTalk iface
*/
- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
- goto out;
+ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
}
/* if IP over DDP is not selected this code will be optimized out */
@@ -1656,10 +1657,10 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
if (skb2) {
loopback = 1;
SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
- if (aarp_send_ddp(dev, skb2,
- &usat->sat_addr, NULL) == -1)
- kfree_skb(skb2);
- /* else queued/sent above in the aarp queue */
+ /*
+ * If it fails it is queued/sent above in the aarp queue
+ */
+ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
}
}
@@ -1689,9 +1690,10 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
usat = &gsat;
}
- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
- kfree_skb(skb);
- /* else queued/sent above in the aarp queue */
+ /*
+ * If it fails it is queued/sent above in the aarp queue
+ */
+ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
}
SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
@@ -1870,7 +1872,6 @@ static struct packet_type ppptalk_packet_type __read_mostly = {
static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
/* Export symbols for use by drivers when AppleTalk is a module */
-EXPORT_SYMBOL(aarp_send_ddp);
EXPORT_SYMBOL(atrtr_get_dev);
EXPORT_SYMBOL(atalk_find_dev_addr);
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1744
retrieving revision 1.1745
diff -u -p -r1.1744 -r1.1745
--- kernel.spec 26 Sep 2009 17:49:00 -0000 1.1744
+++ kernel.spec 26 Sep 2009 18:10:15 -0000 1.1745
@@ -758,6 +758,9 @@ Patch14402: kvm-vmx-check-cpl-before-emu
Patch14403: kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
Patch14404: kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+# appletalk: fix skb leak (CVE-2009-2903)
+Patch15200: appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1412,6 +1415,9 @@ ApplyPatch kvm-vmx-check-cpl-before-emul
ApplyPatch kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
ApplyPatch kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+# appletalk: fix skb leak (CVE-2009-2903)
+ApplyPatch appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2000,6 +2006,10 @@ fi
# and build.
%changelog
+* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.8-66
+- Backport "appletalk: Fix skb leak when ipddp interface is not loaded"
+ (fixes CVE-2009-2903)
+
* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.8-65
- KVM fixes from 2.6.31.1, including fix for CVE-2009-3290
More information about the fedora-extras-commits
mailing list