Commit 96b9ab67 authored by Dann Frazier's avatar Dann Frazier

* bugfix/nf_conntrack-set-nfctinfo.patch

  [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
  which allows remote attackers to bypass certain rulesets
  See CVE-2007-1497

svn path=/dists/etch-security/linux-2.6/; revision=8530
parent b5777b04
......@@ -4,8 +4,12 @@ linux-2.6 (2.6.18.dfsg.1-12etch2) UNRELEASED; urgency=high
[SECURITY] Fix remotely exploitable NULL pointer dereference in
nfulnl_recv_config()
See CVE-2007-1496
* bugfix/nf_conntrack-set-nfctinfo.patch
[SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
which allows remote attackers to bypass certain rulesets
See CVE-2007-1497
-- dann frazier <dannf@debian.org> Mon, 30 Apr 2007 17:20:14 -0600
-- dann frazier <dannf@debian.org> Mon, 30 Apr 2007 17:30:17 -0600
linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
......
From: Patrick McHardy <kaber@trash.net>
Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
X-Git-Tag: v2.6.20.3~11
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index a20615f..6155b80 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
+ (*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
+ bugfix/nfnetlink_log-null-deref.patch
+ bugfix/nf_conntrack-set-nfctinfo.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment