summaryrefslogtreecommitdiffstats
path: root/main/linux-grsec/CVE-2013-4348.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/linux-grsec/CVE-2013-4348.patch')
-rw-r--r--main/linux-grsec/CVE-2013-4348.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/main/linux-grsec/CVE-2013-4348.patch b/main/linux-grsec/CVE-2013-4348.patch
new file mode 100644
index 000000000..cce1592eb
--- /dev/null
+++ b/main/linux-grsec/CVE-2013-4348.patch
@@ -0,0 +1,35 @@
+From 6f092343855a71e03b8d209815d8c45bf3a27fcd Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 01 Nov 2013 07:01:10 +0000
+Subject: net: flow_dissector: fail on evil iph->ihl
+
+We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
+skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
+is evil (less than 5).
+
+This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
+(rps: support IPIP encapsulation).
+
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 8d7d0dd..143b6fd 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -40,7 +40,7 @@ again:
+ struct iphdr _iph;
+ ip:
+ iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
+- if (!iph)
++ if (!iph || iph->ihl < 5)
+ return false;
+
+ if (ip_is_fragment(iph))
+--
+cgit v0.9.2