Author: aurel32 Date: 2006-02-03 17:11:18 +0000 (Fri, 03 Feb 2006) New Revision: 1122
Added: trunk/kfreebsd-5/debian/patches/000_sack.diff Modified: trunk/kfreebsd-5/debian/changelog Log: * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack / CVE-2006-0433). Modified: trunk/kfreebsd-5/debian/changelog =================================================================== --- trunk/kfreebsd-5/debian/changelog 2006-02-02 12:59:35 UTC (rev 1121) +++ trunk/kfreebsd-5/debian/changelog 2006-02-03 17:11:18 UTC (rev 1122) @@ -1,3 +1,11 @@ +kfreebsd-5 (5.4-13) unstable; urgency=high + + * Urgency set to high as this fixes a security bug. + * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack / + CVE-2006-0433). + + -- Aurelien Jarno <[EMAIL PROTECTED]> Fri, 3 Feb 2006 17:50:38 +0100 + kfreebsd-5 (5.4-12) unstable; urgency=low * Recommends libc0.1-i686 in kfreebsd-image*, not kfreebsd-headers* Added: trunk/kfreebsd-5/debian/patches/000_sack.diff =================================================================== --- trunk/kfreebsd-5/debian/patches/000_sack.diff 2006-02-02 12:59:35 UTC (rev 1121) +++ trunk/kfreebsd-5/debian/patches/000_sack.diff 2006-02-03 17:11:18 UTC (rev 1122) @@ -0,0 +1,24 @@ +Index: sys/netinet/tcp_sack.c +=================================================================== +RCS file: /home/ncvs/src/sys/netinet/tcp_sack.c,v +retrieving revision 1.3 +diff -u -p -I__FBSDID -r1.3 tcp_sack.c +--- sys/netinet/tcp_sack.c 17 Aug 2004 22:05:54 -0000 1.3 ++++ sys/netinet/tcp_sack.c 26 Jan 2006 15:18:05 -0000 +@@ -301,6 +301,7 @@ tcp_sack_option(struct tcpcb *tp, struct + tp->snd_numholes = 0; + if (tp->t_maxseg == 0) + panic("tcp_sack_option"); /* Should never happen */ ++next_block: + while (tmp_olen > 0) { + struct sackblk sack; + +@@ -390,7 +391,7 @@ tcp_sack_option(struct tcpcb *tp, struct + temp = (struct sackhole *) + uma_zalloc(sack_hole_zone,M_NOWAIT); + if (temp == NULL) +- continue; /* ENOBUFS */ ++ goto next_block; /* ENOBUFS */ + temp->next = cur->next; + temp->start = sack.end; + temp->end = cur->end; -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]