/[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0133-2.6.16.18-netfilter-snmp-nat-fix-memory-corruption.patch |
Annotation of /trunk/kernel26-magellan/patches-2.6.16-r12/0133-2.6.16.18-netfilter-snmp-nat-fix-memory-corruption.patch
Parent Directory | Revision Log
Revision 72 -
(hide annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2044 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2044 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
1 | niro | 72 | From: Patrick McHardy <kaber@trash.net> |
2 | Date: Sat, 20 May 2006 07:31:26 +0000 (+0200) | ||
3 | Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) | ||
4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8 | ||
5 | |||
6 | [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) | ||
7 | |||
8 | CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. | ||
9 | |||
10 | Fix memory corruption caused by snmp_trap_decode: | ||
11 | |||
12 | - When snmp_trap_decode fails before the id and address are allocated, | ||
13 | the pointers contain random memory, but are freed by the caller | ||
14 | (snmp_parse_mangle). | ||
15 | |||
16 | - When snmp_trap_decode fails after allocating just the ID, it tries | ||
17 | to free both address and ID, but the address pointer still contains | ||
18 | random memory. The caller frees both ID and random memory again. | ||
19 | |||
20 | - When snmp_trap_decode fails after allocating both, it frees both, | ||
21 | and the callers frees both again. | ||
22 | |||
23 | The corruption can be triggered remotely when the ip_nat_snmp_basic | ||
24 | module is loaded and traffic on port 161 or 162 is NATed. | ||
25 | |||
26 | Found by multiple testcases of the trap-app and trap-enc groups of the | ||
27 | PROTOS c06-snmpv1 testsuite. | ||
28 | |||
29 | Signed-off-by: Patrick McHardy <kaber@trash.net> | ||
30 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | ||
31 | --- | ||
32 | |||
33 | --- a/net/ipv4/netfilter/ip_nat_snmp_basic.c | ||
34 | +++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c | ||
35 | @@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st | ||
36 | |||
37 | return 1; | ||
38 | |||
39 | +err_addr_free: | ||
40 | + kfree((unsigned long *)trap->ip_address); | ||
41 | + | ||
42 | err_id_free: | ||
43 | kfree(trap->id); | ||
44 | |||
45 | -err_addr_free: | ||
46 | - kfree((unsigned long *)trap->ip_address); | ||
47 | - | ||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | @@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch | ||
52 | struct snmp_v1_trap trap; | ||
53 | unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); | ||
54 | |||
55 | - /* Discard trap allocations regardless */ | ||
56 | - kfree(trap.id); | ||
57 | - kfree((unsigned long *)trap.ip_address); | ||
58 | - | ||
59 | - if (!ret) | ||
60 | + if (ret) { | ||
61 | + kfree(trap.id); | ||
62 | + kfree((unsigned long *)trap.ip_address); | ||
63 | + } else | ||
64 | return ret; | ||
65 | |||
66 | } else { |