1 files changed, 50 insertions, 0 deletions

diff --git a/main/linux-grsec/0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch b/main/linux-grsec/0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
new file mode 100644
index 0000000000..d43160f1fa
--- /dev/null
+++ b/main/linux-grsec/0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
@@ -0,0 +1,50 @@
+From 113ab386c7d6625cff284fb10952ff69a58c18a4 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Fri, 14 Oct 2011 04:57:46 +0000
+Subject: [PATCH] ip_gre: dont increase dev->needed_headroom on a live device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It seems ip_gre is able to change dev->needed_headroom on the fly.
+
+Its is not legal unfortunately and triggers a BUG in raw_sendmsg()
+
+skb = sock_alloc_send_skb(sk, ... + LL_ALLOCATED_SPACE(rt->dst.dev)
+
+< another cpu change dev->needed_headromm (making it bigger)
+
+...
+skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev));
+
+We end with LL_RESERVED_SPACE() being bigger than LL_ALLOCATED_SPACE()
+-> we crash later because skb head is exhausted.
+
+Bug introduced in commit 243aad83 in 2.6.34 (ip_gre: include route
+header_len in max_headroom calculation)
+
+Reported-by: Elmar Vonlanthen <evonlanthen@gmail.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+CC: Timo Teräs <timo.teras@iki.fi>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/ip_gre.c |    2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index d7bb94c..d55110e 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -835,8 +835,6 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
+ 	if (skb_headroom(skb) < max_headroom || skb_shared(skb)||
+ 	    (skb_cloned(skb) && !skb_clone_writable(skb, 0))) {
+ 		struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
+-		if (max_headroom > dev->needed_headroom)
+-			dev->needed_headroom = max_headroom;
+ 		if (!new_skb) {
+ 			ip_rt_put(rt);
+ 			dev->stats.tx_dropped++;
+-- 
+1.7.7
+