r1122 - in trunk/kfreebsd-5/debian: . patches

Fri, 03 Feb 2006 09:27:41 -0800 

Author: aurel32
Date: 2006-02-03 17:11:18 +0000 (Fri, 03 Feb 2006)
New Revision: 1122

Added:
   trunk/kfreebsd-5/debian/patches/000_sack.diff
Modified:
   trunk/kfreebsd-5/debian/changelog
Log:
  * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
    CVE-2006-0433).



Modified: trunk/kfreebsd-5/debian/changelog
===================================================================
--- trunk/kfreebsd-5/debian/changelog   2006-02-02 12:59:35 UTC (rev 1121)
+++ trunk/kfreebsd-5/debian/changelog   2006-02-03 17:11:18 UTC (rev 1122)
@@ -1,3 +1,11 @@
+kfreebsd-5 (5.4-13) unstable; urgency=high
+
+  * Urgency set to high as this fixes a security bug.
+  * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
+    CVE-2006-0433).
+
+ -- Aurelien Jarno <[EMAIL PROTECTED]>  Fri,  3 Feb 2006 17:50:38 +0100
+
 kfreebsd-5 (5.4-12) unstable; urgency=low
 
   * Recommends libc0.1-i686 in kfreebsd-image*, not kfreebsd-headers* 

Added: trunk/kfreebsd-5/debian/patches/000_sack.diff
===================================================================
--- trunk/kfreebsd-5/debian/patches/000_sack.diff       2006-02-02 12:59:35 UTC 
(rev 1121)
+++ trunk/kfreebsd-5/debian/patches/000_sack.diff       2006-02-03 17:11:18 UTC 
(rev 1122)
@@ -0,0 +1,24 @@
+Index: sys/netinet/tcp_sack.c
+===================================================================
+RCS file: /home/ncvs/src/sys/netinet/tcp_sack.c,v
+retrieving revision 1.3
+diff -u -p -I__FBSDID -r1.3 tcp_sack.c
+--- sys/netinet/tcp_sack.c     17 Aug 2004 22:05:54 -0000      1.3
++++ sys/netinet/tcp_sack.c     26 Jan 2006 15:18:05 -0000
+@@ -301,6 +301,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+               tp->snd_numholes = 0;
+       if (tp->t_maxseg == 0)
+               panic("tcp_sack_option"); /* Should never happen */
++next_block:
+       while (tmp_olen > 0) {
+               struct sackblk sack;
+ 
+@@ -390,7 +391,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+                               temp = (struct sackhole *)
+                                       uma_zalloc(sack_hole_zone,M_NOWAIT);
+                               if (temp == NULL)
+-                                      continue; /* ENOBUFS */
++                                      goto next_block; /* ENOBUFS */
+                               temp->next = cur->next;
+                               temp->start = sack.end;
+                               temp->end = cur->end;


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to