Bug#603158: marked as done (CVE-2010-4165: possible kernel oops from user MSS)
Your message dated Wed, 1 Dec 2010 00:42:11 +0100
with message-id <20101130234211.GA7613@galadriel.inutil.org>
and subject line Re: possible kernel oops from user MSS
has caused the Debian Bug report #603158,
regarding CVE-2010-4165: possible kernel oops from user MSS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
603158: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603158
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: linux-2.6
Version: 2.6.28-1
Severity: serious
Tags: security patch upstream
This bug was introduced in upstream version 2.6.28 and is about to be
fixed in 2.6.37. I don't think any CVE has been assigned yet.
Ben.
----- Forwarded message from David Miller <davem@davemloft.net> -----
From: David Miller <davem@davemloft.net>
To: shanwei@cn.fujitsu.com
Cc: schen@mvista.com, netdev@vger.kernel.org
Subject: Re: possible kernel oops from user MSS
Date: Thu, 11 Nov 2010 13:40:18 +0000
From: David Miller <davem@davemloft.net>
Date: Wed, 10 Nov 2010 21:33:13 -0800 (PST)
> I'll make the minimum 64 or something like that.
Here is the patch I will use:
--------------------
tcp: Increase TCP_MAXSEG socket option minimum.
As noted by Steve Chen, since commit
f5fff5dc8a7a3f395b0525c02ba92c95d42b7390 ("tcp: advertise MSS
requested by user") we can end up with a situation where
tcp_select_initial_window() does a divide by a zero (or
even negative) mss value.
The problem is that sometimes we effectively subtract
TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss.
Fix this by increasing the minimum from 8 to 64.
Reported-by: Steve Chen <schen@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/tcp.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 245603c..0814199 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
/* Values greater than interface MTU won't take effect. However
* at the point when this call is done we typically don't yet
* know which interface is going to be used */
- if (val < 8 || val > MAX_TCP_WINDOW) {
+ if (val < 64 || val > MAX_TCP_WINDOW) {
err = -EINVAL;
break;
}
--
1.7.3.2
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
----- End forwarded message -----
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
--- End Message ---
--- Begin Message ---
Version: 2.6.32-28
On Thu, Nov 11, 2010 at 02:14:45PM +0000, Ben Hutchings wrote:
> Package: linux-2.6
> Version: 2.6.28-1
> Severity: serious
> Tags: security patch upstream
>
> This bug was introduced in upstream version 2.6.28 and is about to be
> fixed in 2.6.37. I don't think any CVE has been assigned yet.
The -28 upload didn't have a bug closer for this.
Cheers,
Moritz
--- End Message ---
Reply to: