diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2014-03-11 09:00:52 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2014-03-11 09:00:54 -0400 |
| commit | 93ec8b7d38bffe6c33b18644e05100e92c06b8b3 (patch) | |
| tree | b3743481cab25c2428f23022d29f48da421f5486 | |
| parent | e741d1dc9eb24ecc365a73a22c274477dbea7181 (diff) | |
| download | kernel-93ec8b7d38bffe6c33b18644e05100e92c06b8b3.tar.gz kernel-93ec8b7d38bffe6c33b18644e05100e92c06b8b3.tar.xz kernel-93ec8b7d38bffe6c33b18644e05100e92c06b8b3.zip | |
CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
| -rw-r--r-- | ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch | 32 | ||||
| -rw-r--r-- | kernel.spec | 7 |
2 files changed, 39 insertions, 0 deletions
diff --git a/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch new file mode 100644 index 00000000..9c07c7e2 --- /dev/null +++ b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch @@ -0,0 +1,32 @@ +Bugzilla: 1074471 +Upstream-status: queued for 3.14 + +From c88507fbad8055297c1d1e21e599f46960cbee39 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Thu, 06 Mar 2014 16:51:57 +0000 +Subject: ipv6: don't set DST_NOCOUNT for remotely added routes + +DST_NOCOUNT should only be used if an authorized user adds routes +locally. In case of routes which are added on behalf of router +advertisments this flag must not get used as it allows an unlimited +number of routes getting added remotely. + +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 11dac21..fba54a4 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg) + if (!table) + goto out; + +- rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table); ++ rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table); + + if (!rt) { + err = -ENOMEM; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index bd12e03a..757eff07 100644 --- a/kernel.spec +++ b/kernel.spec @@ -646,6 +646,9 @@ Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch #Fixes module loading on ppc64le Patch25036: ppc64le_module_fix.patch +#CVE-2014-2309 rhbz 1074471 1075064 +Patch25037: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch + # END OF PATCH DEFINITIONS %endif @@ -1299,6 +1302,9 @@ ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch # Fixes module loading on ppc64le ApplyPatch ppc64le_module_fix.patch +#CVE-2014-2309 rhbz 1074471 1075064 +ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch + # END OF PATCH APPLICATIONS %endif @@ -2079,6 +2085,7 @@ fi # || || %changelog * Tue Mar 11 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc6.git1.1 +- CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064) - Linux v3.14-rc6-17-g8712a00 - Reenable debugging options. |