diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2017-06-26 06:35:47 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2017-06-26 06:35:47 -0400 |
| commit | e5ed6f85d09b5ef5354d5791222fe2a917482932 (patch) | |
| tree | f82d8ea1437bbf62a1add18083d7005d9fb33068 | |
| parent | Linux patch 4.1.41 (diff) | |
| download | linux-patches-4.1-49.tar.gz linux-patches-4.1-49.tar.bz2 linux-patches-4.1-49.zip | |
Removal of redundant patch4.1-49
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1520_CVE-2017-6074-dccp-fix-early-skb-free.patch | 47 |
2 files changed, 0 insertions, 51 deletions
diff --git a/0000_README b/0000_README index c7c6b209..d1cbbe4a 100644 --- a/0000_README +++ b/0000_README @@ -215,10 +215,6 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ Desc: Enable link security restrictions by default. -Patch: 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch -From: https://bugs.gentoo.org/show_bug.cgi?id=610600 -Desc: dccp: fix freeing skb too early for IPV6_RECVPKTINFO. CVE-2017-6074 - Patch: 1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch From: https://bugs.gentoo.org/show_bug.cgi?id=615480 Desc: Fixes CVE-2016-10229. Unsafe second checksum calculation in udp.c diff --git a/1520_CVE-2017-6074-dccp-fix-early-skb-free.patch b/1520_CVE-2017-6074-dccp-fix-early-skb-free.patch deleted file mode 100644 index 433fd4b2..00000000 --- a/1520_CVE-2017-6074-dccp-fix-early-skb-free.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov <andreyknvl@google.com> -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov <andreyknvl@google.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba34718..8fedc2d 100644 ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -cgit v0.12 - |