[kernel/f20] CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
Josh Boyer
jwboyer at fedoraproject.org
Tue Mar 11 13:03:53 UTC 2014
commit 1dd978d38fda457a595109e85851032e626c0c90
Author: Josh Boyer <jwboyer at redhat.com>
Date: Tue Mar 11 09:00:52 2014 -0400
CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
...set-DST_NOCOUNT-for-remotely-added-routes.patch | 32 ++++++++++++++++++++
kernel.spec | 9 +++++
2 files changed, 41 insertions(+), 0 deletions(-)
---
diff --git a/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
new file mode 100644
index 0000000..9c07c7e
--- /dev/null
+++ b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
@@ -0,0 +1,32 @@
+Bugzilla: 1074471
+Upstream-status: queued for 3.14
+
+From c88507fbad8055297c1d1e21e599f46960cbee39 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd at queasysnail.net>
+Date: Thu, 06 Mar 2014 16:51:57 +0000
+Subject: ipv6: don't set DST_NOCOUNT for remotely added routes
+
+DST_NOCOUNT should only be used if an authorized user adds routes
+locally. In case of routes which are added on behalf of router
+advertisments this flag must not get used as it allows an unlimited
+number of routes getting added remotely.
+
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 11dac21..fba54a4 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg)
+ if (!table)
+ goto out;
+
+- rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table);
++ rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table);
+
+ if (!rt) {
+ err = -ENOMEM;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 992ff22..146b975 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -794,6 +794,9 @@ Patch25039: Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch
#rhbz 1065663
Patch25040: iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch
+#CVE-2014-2309 rhbz 1074471 1075064
+Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1544,6 +1547,9 @@ ApplyPatch Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch
#rhbz 1065663
ApplyPatch iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch
+#CVE-2014-2309 rhbz 1074471 1075064
+ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2355,6 +2361,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Mar 11 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
+
* Fri Mar 07 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.13.6-200
- Linux v3.13.6
More information about the scm-commits
mailing list