Author: dannf Date: Sun Aug 27 03:57:04 2006 New Revision: 7243 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
Log: * snmp-nat-mem-corruption-fix.dpatch [SECURITY] Fix memory corruption in snmp_trap_decode See CVE-2006-2444 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Aug 27 03:57:04 2006 @@ -46,8 +46,11 @@ readv-writev-missing-lsm-check-compat.dpatch [SECURITY] Add missing file_permission callback in readv/writev syscalls See CVE-2006-1856 + * snmp-nat-mem-corruption-fix.dpatch + [SECURITY] Fix memory corruption in snmp_trap_decode + See CVE-2006-2444 - -- dann frazier <[EMAIL PROTECTED]> Sat, 26 Aug 2006 21:18:29 -0600 + -- dann frazier <[EMAIL PROTECTED]> Sat, 26 Aug 2006 21:52:14 -0600 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5 Sun Aug 27 03:57:04 2006 @@ -9,3 +9,4 @@ + exit-bogus-bugon.dpatch + readv-writev-missing-lsm-check.dpatch + readv-writev-missing-lsm-check-compat.dpatch ++ snmp-nat-mem-corruption-fix.dpatch Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch Sun Aug 27 03:57:04 2006 @@ -0,0 +1,67 @@ +From: Patrick McHardy <[EMAIL PROTECTED]> +Date: Sat, 20 May 2006 07:31:26 +0000 (+0200) +Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) +X-Git-Tag: v2.6.16.18 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8 + +[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) + +CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. + +Fix memory corruption caused by snmp_trap_decode: + +- When snmp_trap_decode fails before the id and address are allocated, + the pointers contain random memory, but are freed by the caller + (snmp_parse_mangle). + +- When snmp_trap_decode fails after allocating just the ID, it tries + to free both address and ID, but the address pointer still contains + random memory. The caller frees both ID and random memory again. + +- When snmp_trap_decode fails after allocating both, it frees both, + and the callers frees both again. + +The corruption can be triggered remotely when the ip_nat_snmp_basic +module is loaded and traffic on port 161 or 162 is NATed. + +Found by multiple testcases of the trap-app and trap-enc groups of the +PROTOS c06-snmpv1 testsuite. + +Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]> +Signed-off-by: Chris Wright <[EMAIL PROTECTED]> +--- + +--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c ++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c +@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st + + return 1; + ++err_addr_free: ++ kfree((unsigned long *)trap->ip_address); ++ + err_id_free: + kfree(trap->id); + +-err_addr_free: +- kfree((unsigned long *)trap->ip_address); +- + return 0; + } + +@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch + struct snmp_v1_trap trap; + unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); + +- /* Discard trap allocations regardless */ +- kfree(trap.id); +- kfree((unsigned long *)trap.ip_address); +- +- if (!ret) ++ if (ret) { ++ kfree(trap.id); ++ kfree((unsigned long *)trap.ip_address); ++ } else + return ret; + + } else { _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes