r1122 - in trunk/kfreebsd-5/debian: . patches
Author: aurel32
Date: 2006-02-03 17:11:18 +0000 (Fri, 03 Feb 2006)
New Revision: 1122
Added:
trunk/kfreebsd-5/debian/patches/000_sack.diff
Modified:
trunk/kfreebsd-5/debian/changelog
Log:
* Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
CVE-2006-0433).
Modified: trunk/kfreebsd-5/debian/changelog
===================================================================
--- trunk/kfreebsd-5/debian/changelog 2006-02-02 12:59:35 UTC (rev 1121)
+++ trunk/kfreebsd-5/debian/changelog 2006-02-03 17:11:18 UTC (rev 1122)
@@ -1,3 +1,11 @@
+kfreebsd-5 (5.4-13) unstable; urgency=high
+
+ * Urgency set to high as this fixes a security bug.
+ * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
+ CVE-2006-0433).
+
+ -- Aurelien Jarno <aurel32@debian.org> Fri, 3 Feb 2006 17:50:38 +0100
+
kfreebsd-5 (5.4-12) unstable; urgency=low
* Recommends libc0.1-i686 in kfreebsd-image*, not kfreebsd-headers*
Added: trunk/kfreebsd-5/debian/patches/000_sack.diff
===================================================================
--- trunk/kfreebsd-5/debian/patches/000_sack.diff 2006-02-02 12:59:35 UTC (rev 1121)
+++ trunk/kfreebsd-5/debian/patches/000_sack.diff 2006-02-03 17:11:18 UTC (rev 1122)
@@ -0,0 +1,24 @@
+Index: sys/netinet/tcp_sack.c
+===================================================================
+RCS file: /home/ncvs/src/sys/netinet/tcp_sack.c,v
+retrieving revision 1.3
+diff -u -p -I__FBSDID -r1.3 tcp_sack.c
+--- sys/netinet/tcp_sack.c 17 Aug 2004 22:05:54 -0000 1.3
++++ sys/netinet/tcp_sack.c 26 Jan 2006 15:18:05 -0000
+@@ -301,6 +301,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+ tp->snd_numholes = 0;
+ if (tp->t_maxseg == 0)
+ panic("tcp_sack_option"); /* Should never happen */
++next_block:
+ while (tmp_olen > 0) {
+ struct sackblk sack;
+
+@@ -390,7 +391,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+ temp = (struct sackhole *)
+ uma_zalloc(sack_hole_zone,M_NOWAIT);
+ if (temp == NULL)
+- continue; /* ENOBUFS */
++ goto next_block; /* ENOBUFS */
+ temp->next = cur->next;
+ temp->start = sack.end;
+ temp->end = cur->end;
Reply to: