0f831b3cf2
CVE-2017-8890: dccp/tcp: do not inherit mc_list from parent
CVE-2017-9074: ipv6: Prevent overrun when parsing v6 header options
CVE-2017-9075: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
CVE-2017-9076/CVE-2017-9077: ipv6/dccp: do not inherit ipv6_mc_list from parent
CVE-2017-9242: ipv6: fix out of bound writes in __ip6_append_data()
79 lines
2.6 KiB
Diff
79 lines
2.6 KiB
Diff
From ef8ae9e80ab0846763c6405968852e19c9a87782 Mon Sep 17 00:00:00 2001
|
|
From: WANG Cong <xiyou.wangcong@gmail.com>
|
|
Date: Wed, 7 Jun 2017 12:28:27 +0200
|
|
Subject: [PATCH] ipv6/dccp: do not inherit ipv6_mc_list from parent
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
|
|
we should clear ipv6_mc_list etc. for IPv6 sockets too.
|
|
|
|
Cc: Eric Dumazet <edumazet@google.com>
|
|
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
|
Acked-by: Eric Dumazet <edumazet@google.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
CVE-2017-9076
|
|
CVE-2017-9077
|
|
|
|
(cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52)
|
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
|
Acked-by: Colin Ian King <colin.king@canonical.com>
|
|
Acked-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
net/dccp/ipv6.c | 6 ++++++
|
|
net/ipv6/tcp_ipv6.c | 2 ++
|
|
2 files changed, 8 insertions(+)
|
|
|
|
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
|
|
index 2f3e8bbe2cb9..8f41327c1edf 100644
|
|
--- a/net/dccp/ipv6.c
|
|
+++ b/net/dccp/ipv6.c
|
|
@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
|
|
newsk->sk_backlog_rcv = dccp_v4_do_rcv;
|
|
newnp->pktoptions = NULL;
|
|
newnp->opt = NULL;
|
|
+ newnp->ipv6_mc_list = NULL;
|
|
+ newnp->ipv6_ac_list = NULL;
|
|
+ newnp->ipv6_fl_list = NULL;
|
|
newnp->mcast_oif = inet6_iif(skb);
|
|
newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
|
|
|
|
@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
|
|
/* Clone RX bits */
|
|
newnp->rxopt.all = np->rxopt.all;
|
|
|
|
+ newnp->ipv6_mc_list = NULL;
|
|
+ newnp->ipv6_ac_list = NULL;
|
|
+ newnp->ipv6_fl_list = NULL;
|
|
newnp->pktoptions = NULL;
|
|
newnp->opt = NULL;
|
|
newnp->mcast_oif = inet6_iif(skb);
|
|
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
|
|
index cfc232714139..c0ca1218801b 100644
|
|
--- a/net/ipv6/tcp_ipv6.c
|
|
+++ b/net/ipv6/tcp_ipv6.c
|
|
@@ -1055,6 +1055,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
|
|
newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
|
|
#endif
|
|
|
|
+ newnp->ipv6_mc_list = NULL;
|
|
newnp->ipv6_ac_list = NULL;
|
|
newnp->ipv6_fl_list = NULL;
|
|
newnp->pktoptions = NULL;
|
|
@@ -1124,6 +1125,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
|
|
First: no IPv4 options.
|
|
*/
|
|
newinet->inet_opt = NULL;
|
|
+ newnp->ipv6_mc_list = NULL;
|
|
newnp->ipv6_ac_list = NULL;
|
|
newnp->ipv6_fl_list = NULL;
|
|
|
|
--
|
|
2.11.0
|
|
|