Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-kernel/xen-sources/files/CVE-2006-4572.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-kernel/xen-sources/files/CVE-2006-4572.patch')
-rw-r--r--sys-kernel/xen-sources/files/CVE-2006-4572.patch185
1 files changed, 0 insertions, 185 deletions
diff --git a/sys-kernel/xen-sources/files/CVE-2006-4572.patch b/sys-kernel/xen-sources/files/CVE-2006-4572.patch
deleted file mode 100644
index df46a7059260..000000000000
--- a/sys-kernel/xen-sources/files/CVE-2006-4572.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From: Patrick McHardy <kaber@trash.net>
-Date: Sun, 5 Nov 2006 08:04:23 +0000 (+0100)
-Subject: [NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
-X-Git-Tag: v2.6.16.31-rc1^0~1
-X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=0ddfcc96928145d6a6425fdd26dad6abfe7f891d;hp=6ac62be885810e1f8390f0c3b9d3ee451d3d3f19
-
-[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
-
-As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
-to a fragmentation attack causing false negatives on extension header
-matches.
-
-When extension headers occur in the non-first fragment after the fragment
-header (possibly with an incorrect nexthdr value in the fragment header)
-a rule looking for this extension header will never match.
-
-Drop fragments that are at offset 0 and don't contain the final protocol
-header regardless of the ruleset, since this should not happen normally.
-Since all extension headers are before the protocol header this makes sure
-an extension header is either not present or in the first fragment, where
-we can properly parse it.
-
-With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
-
-Signed-off-by: Patrick McHardy <kaber@trash.net>
-Signed-off-by: Adrian Bunk <bunk@stusta.de>
----
-
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index a3e3da1..e2bb9ac 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1447,6 +1447,9 @@ static void __exit fini(void)
- * If target header is found, its offset is set in *offset and return protocol
- * number. Otherwise, return -1.
- *
-+ * If the first fragment doesn't contain the final protocol header or
-+ * NEXTHDR_NONE it is considered invalid.
-+ *
- * Note that non-1st fragment is special case that "the protocol number
- * of last header" is "next header" field in Fragment header. In this case,
- * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
-@@ -1470,12 +1473,12 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
- if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
- if (target < 0)
- break;
-- return -1;
-+ return -ENOENT;
- }
-
- hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
- if (hp == NULL)
-- return -1;
-+ return -EBADMSG;
- if (nexthdr == NEXTHDR_FRAGMENT) {
- unsigned short _frag_off, *fp;
- fp = skb_header_pointer(skb,
-@@ -1484,7 +1487,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
- sizeof(_frag_off),
- &_frag_off);
- if (fp == NULL)
-- return -1;
-+ return -EBADMSG;
-
- _frag_off = ntohs(*fp) & ~0x7;
- if (_frag_off) {
-@@ -1495,7 +1498,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
- *fragoff = _frag_off;
- return hp->nexthdr;
- }
-- return -1;
-+ return -ENOENT;
- }
- hdrlen = 8;
- } else if (nexthdr == NEXTHDR_AUTH)
-diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
-index 219a303..002b8a1 100644
---- a/net/ipv6/netfilter/ip6t_ah.c
-+++ b/net/ipv6/netfilter/ip6t_ah.c
-@@ -53,9 +53,14 @@ match(const struct sk_buff *skb,
- const struct ip6t_ah *ahinfo = matchinfo;
- unsigned int ptr;
- unsigned int hdrlen = 0;
-+ int err;
-
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
-+ if (err < 0) {
-+ if (err != -ENOENT)
-+ *hotdrop = 1;
- return 0;
-+ }
-
- ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
- if (ah == NULL) {
-diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
-index b4c153a..2441228 100644
---- a/net/ipv6/netfilter/ip6t_dst.c
-+++ b/net/ipv6/netfilter/ip6t_dst.c
-@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
- u8 _opttype, *tp = NULL;
- u8 _optlen, *lp = NULL;
- unsigned int optlen;
-+ int err;
-
- #if HOPBYHOP
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
- #else
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
- #endif
-+ if (err < 0) {
-+ if (err != -ENOENT)
-+ *hotdrop = 1;
- return 0;
-+ }
-
- oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
- if (oh == NULL) {
-diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
-index 4c14125..185f583 100644
---- a/net/ipv6/netfilter/ip6t_frag.c
-+++ b/net/ipv6/netfilter/ip6t_frag.c
-@@ -51,9 +51,14 @@ match(const struct sk_buff *skb,
- struct frag_hdr _frag, *fh;
- const struct ip6t_frag *fraginfo = matchinfo;
- unsigned int ptr;
-+ int err;
-
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
-+ if (err < 0) {
-+ if (err != -ENOENT)
-+ *hotdrop = 1;
- return 0;
-+ }
-
- fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
- if (fh == NULL) {
-diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
-index 37a8474..af56eaf 100644
---- a/net/ipv6/netfilter/ip6t_hbh.c
-+++ b/net/ipv6/netfilter/ip6t_hbh.c
-@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
- u8 _opttype, *tp = NULL;
- u8 _optlen, *lp = NULL;
- unsigned int optlen;
-+ int err;
-
- #if HOPBYHOP
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
- #else
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
- #endif
-+ if (err < 0) {
-+ if (err != -ENOENT)
-+ *hotdrop = 1;
- return 0;
-+ }
-
- oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
- if (oh == NULL) {
-diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
-index 8f82476..537b311 100644
---- a/net/ipv6/netfilter/ip6t_rt.c
-+++ b/net/ipv6/netfilter/ip6t_rt.c
-@@ -57,9 +57,14 @@ match(const struct sk_buff *skb,
- unsigned int hdrlen = 0;
- unsigned int ret = 0;
- struct in6_addr *ap, _addr;
-+ int err;
-
-- if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0)
-+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
-+ if (err < 0) {
-+ if (err != -ENOENT)
-+ *hotdrop = 1;
- return 0;
-+ }
-
- rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
- if (rh == NULL) {