On Mon, 2012-01-09 at 22:04 +0000, Ben Hutchings wrote:
> Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
> behavior on v3 query during v2-compatibility mode') added yet another
> case for query parsing, which can result in max_delay = 0. Substitute
> a value of 1, as in the usual v3 case.This has been assigned CVE-2012-0207. Ben. > Reported-by: Simon McVittie <s...@debian.org> > References: http://bugs.debian.org/654876 > Signed-off-by: Ben Hutchings <b...@decadent.org.uk> > --- > net/ipv4/igmp.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c > index d577199..e0d42db 100644 > --- a/net/ipv4/igmp.c > +++ b/net/ipv4/igmp.c > @@ -875,6 +875,8 @@ static void igmp_heard_query(struct in_device *in_dev, > struct sk_buff *skb, > * to be intended in a v3 query. > */ > max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); > + if (!max_delay) > + max_delay = 1; /* can't mod w/ 0 */ > } else { /* v3 */ > if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) > return; -- Ben Hutchings Life is what happens to you while you're busy making other plans. - John Lennon
signature.asc
Description: This is a digitally signed message part
