summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch32
-rw-r--r--kernel.spec7
2 files changed, 39 insertions, 0 deletions
diff --git a/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
new file mode 100644
index 000000000..9c07c7e24
--- /dev/null
+++ b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
@@ -0,0 +1,32 @@
+Bugzilla: 1074471
+Upstream-status: queued for 3.14
+
+From c88507fbad8055297c1d1e21e599f46960cbee39 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 06 Mar 2014 16:51:57 +0000
+Subject: ipv6: don't set DST_NOCOUNT for remotely added routes
+
+DST_NOCOUNT should only be used if an authorized user adds routes
+locally. In case of routes which are added on behalf of router
+advertisments this flag must not get used as it allows an unlimited
+number of routes getting added remotely.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 11dac21..fba54a4 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg)
+ if (!table)
+ goto out;
+
+- rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table);
++ rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table);
+
+ if (!rt) {
+ err = -ENOMEM;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index bd12e03a1..757eff072 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -646,6 +646,9 @@ Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
#Fixes module loading on ppc64le
Patch25036: ppc64le_module_fix.patch
+#CVE-2014-2309 rhbz 1074471 1075064
+Patch25037: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1299,6 +1302,9 @@ ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch
# Fixes module loading on ppc64le
ApplyPatch ppc64le_module_fix.patch
+#CVE-2014-2309 rhbz 1074471 1075064
+ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2079,6 +2085,7 @@ fi
# || ||
%changelog
* Tue Mar 11 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc6.git1.1
+- CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
- Linux v3.14-rc6-17-g8712a00
- Reenable debugging options.