series

Dann Frazier Sat, 26 Aug 2006 20:57:33 -0700

Author: dannf
Date: Sun Aug 27 03:57:04 2006
New Revision: 7243

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5


Log:
* snmp-nat-mem-corruption-fix.dpatch
  [SECURITY] Fix memory corruption in snmp_trap_decode
  See CVE-2006-2444

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Sun Aug 27 03:57:04 2006
@@ -46,8 +46,11 @@
     readv-writev-missing-lsm-check-compat.dpatch
     [SECURITY] Add missing file_permission callback in readv/writev syscalls
     See CVE-2006-1856
+  * snmp-nat-mem-corruption-fix.dpatch
+    [SECURITY] Fix memory corruption in snmp_trap_decode
+    See CVE-2006-2444
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 26 Aug 2006 21:18:29 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Sat, 26 Aug 2006 21:52:14 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
   Sun Aug 27 03:57:04 2006
@@ -9,3 +9,4 @@
 + exit-bogus-bugon.dpatch
 + readv-writev-missing-lsm-check.dpatch
 + readv-writev-missing-lsm-check-compat.dpatch
++ snmp-nat-mem-corruption-fix.dpatch

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/snmp-nat-mem-corruption-fix.dpatch
      Sun Aug 27 03:57:04 2006
@@ -0,0 +1,67 @@
+From: Patrick McHardy <[EMAIL PROTECTED]>
+Date: Sat, 20 May 2006 07:31:26 +0000 (+0200)
+Subject: [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+X-Git-Tag: v2.6.16.18
+X-Git-Url: 
http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8
+
+[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
+
+CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
+
+Fix memory corruption caused by snmp_trap_decode:
+
+- When snmp_trap_decode fails before the id and address are allocated,
+  the pointers contain random memory, but are freed by the caller
+  (snmp_parse_mangle).
+
+- When snmp_trap_decode fails after allocating just the ID, it tries
+  to free both address and ID, but the address pointer still contains
+  random memory. The caller frees both ID and random memory again.
+
+- When snmp_trap_decode fails after allocating both, it frees both,
+  and the callers frees both again.
+
+The corruption can be triggered remotely when the ip_nat_snmp_basic
+module is loaded and traffic on port 161 or 162 is NATed.
+
+Found by multiple testcases of the trap-app and trap-enc groups of the
+PROTOS c06-snmpv1 testsuite.
+
+Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+---
+
+--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
+@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st
+               
+       return 1;
+ 
++err_addr_free:
++      kfree((unsigned long *)trap->ip_address);
++
+ err_id_free:
+       kfree(trap->id);
+ 
+-err_addr_free:
+-      kfree((unsigned long *)trap->ip_address);
+-      
+       return 0;
+ }
+ 
+@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch
+               struct snmp_v1_trap trap;
+               unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
+               
+-              /* Discard trap allocations regardless */
+-              kfree(trap.id);
+-              kfree((unsigned long *)trap.ip_address);
+-              
+-              if (!ret)
++              if (ret) {
++                      kfree(trap.id);
++                      kfree((unsigned long *)trap.ip_address);
++              } else 
+                       return ret;
+               
+       } else {

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r7243 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Reply via email to