/[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0133-2.6.16.18-netfilter-snmp-nat-fix-memory-corruption.patch |
Contents of /trunk/kernel26-magellan/patches-2.6.16-r12/0133-2.6.16.18-netfilter-snmp-nat-fix-memory-corruption.patch
Parent Directory | Revision Log
Revision 72 -
(show annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2044 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2044 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
1 | From: Patrick McHardy <kaber@trash.net> |
2 | Date: Sat, 20 May 2006 07:31:26 +0000 (+0200) |
3 | Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) |
4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8 |
5 | |
6 | [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) |
7 | |
8 | CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. |
9 | |
10 | Fix memory corruption caused by snmp_trap_decode: |
11 | |
12 | - When snmp_trap_decode fails before the id and address are allocated, |
13 | the pointers contain random memory, but are freed by the caller |
14 | (snmp_parse_mangle). |
15 | |
16 | - When snmp_trap_decode fails after allocating just the ID, it tries |
17 | to free both address and ID, but the address pointer still contains |
18 | random memory. The caller frees both ID and random memory again. |
19 | |
20 | - When snmp_trap_decode fails after allocating both, it frees both, |
21 | and the callers frees both again. |
22 | |
23 | The corruption can be triggered remotely when the ip_nat_snmp_basic |
24 | module is loaded and traffic on port 161 or 162 is NATed. |
25 | |
26 | Found by multiple testcases of the trap-app and trap-enc groups of the |
27 | PROTOS c06-snmpv1 testsuite. |
28 | |
29 | Signed-off-by: Patrick McHardy <kaber@trash.net> |
30 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
31 | --- |
32 | |
33 | --- a/net/ipv4/netfilter/ip_nat_snmp_basic.c |
34 | +++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c |
35 | @@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st |
36 | |
37 | return 1; |
38 | |
39 | +err_addr_free: |
40 | + kfree((unsigned long *)trap->ip_address); |
41 | + |
42 | err_id_free: |
43 | kfree(trap->id); |
44 | |
45 | -err_addr_free: |
46 | - kfree((unsigned long *)trap->ip_address); |
47 | - |
48 | return 0; |
49 | } |
50 | |
51 | @@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch |
52 | struct snmp_v1_trap trap; |
53 | unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); |
54 | |
55 | - /* Discard trap allocations regardless */ |
56 | - kfree(trap.id); |
57 | - kfree((unsigned long *)trap.ip_address); |
58 | - |
59 | - if (!ret) |
60 | + if (ret) { |
61 | + kfree(trap.id); |
62 | + kfree((unsigned long *)trap.ip_address); |
63 | + } else |
64 | return ret; |
65 | |
66 | } else { |