lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20131021.182526.71647778047356987.davem@davemloft.net>
Date:	Mon, 21 Oct 2013 18:25:26 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	hannes@...essinduktion.org
Cc:	netdev@...r.kernel.org, jiri@...nulli.us, eric.dumazet@...il.com
Subject: Re: [PATCH stable] inet: fix possible memory corruption with
 UDP_CORK and UFO

From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Tue, 22 Oct 2013 00:07:47 +0200

> This is a replacement patch only for stable which does fix the problems
> handled by the following two commits in -net:
> 
> "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
> "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
> 
> Three frames are written on a corked udp socket for which the output
> netdevice has UFO enabled.  If the first and third frame are smaller than
> the mtu and the second one is bigger, we enqueue the second frame with
> skb_append_datato_frags without initializing the gso fields. This leads
> to the third frame appended regulary and thus constructing an invalid skb.
> 
> This fixes the problem by always using skb_append_datato_frags as soon
> as the first frag got enqueued to the skb without marking the packet
> as SKB_GSO_UDP.
> 
> The problem with only two frames for ipv6 was fixed by "ipv6: udp
> packets following an UFO enqueued packet need also be handled by UFO"
> (2811ebac2521ceac84f2bdae402455baa6a7fb47).
> 
> Cc: Jiri Pirko <jiri@...nulli.us>
> Cc: Eric Dumazet <eric.dumazet@...il.com>
> Cc: David Miller <davem@...emloft.net>
> Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>

Queued up for -stable, thanks Hannes.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ