r1127 - in trunk/kfreebsd-6/debian: . patches
Author: rmh
Date: 2006-02-04 13:45:24 +0000 (Sat, 04 Feb 2006)
New Revision: 1127
Added:
trunk/kfreebsd-6/debian/patches/000_80211.diff
trunk/kfreebsd-6/debian/patches/000_kmem60.diff
trunk/kfreebsd-6/debian/patches/000_pf.diff
Modified:
trunk/kfreebsd-6/debian/changelog
Log:
Misc security updates in kfreebsd-6 (two of them also needed in kfreebsd-5).
Modified: trunk/kfreebsd-6/debian/changelog
===================================================================
--- trunk/kfreebsd-6/debian/changelog 2006-02-04 13:38:06 UTC (rev 1126)
+++ trunk/kfreebsd-6/debian/changelog 2006-02-04 13:45:24 UTC (rev 1127)
@@ -8,6 +8,10 @@
[ Robert Millan ]
* Merge 5.x branch changes (from rev 654 to rev 1058)
* Add src/usr.sbin/config into the source and build/use it dynamicaly.
+ * Fix IEEE 802.11 buffer overflow (FreeBSD-SA-06:05.80211 / CVE-2006-0226).
+ * Fix local kernel memory disclosure (FreeBSD-SA-06:06.kmem / CVE-2006-0379
+ / CVE-2006-0380).
+ * Fix IP fragment handling panic in pf (FreeBSD-SA-06:07.pf / CVE-2006-0381).
-- Robert Millan <rmh@aybabtu.com> Sat, 12 Nov 2005 20:30:37 +0100
Added: trunk/kfreebsd-6/debian/patches/000_80211.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_80211.diff 2006-02-04 13:38:06 UTC (rev 1126)
+++ trunk/kfreebsd-6/debian/patches/000_80211.diff 2006-02-04 13:45:24 UTC (rev 1127)
@@ -0,0 +1,49 @@
+Index: sys/net80211/ieee80211_ioctl.c
+===================================================================
+RCS file: /home/ncvs/src/sys/net80211/ieee80211_ioctl.c,v
+retrieving revision 1.41
+diff -u -p -I__FBSDID -r1.41 ieee80211_ioctl.c
+--- sys/net80211/ieee80211_ioctl.c 14 Dec 2005 19:32:53 -0000 1.41
++++ sys/net80211/ieee80211_ioctl.c 18 Jan 2006 04:39:48 -0000
+@@ -976,13 +976,25 @@ get_scan_result(struct ieee80211req_scan
+ const struct ieee80211_node *ni)
+ {
+ struct ieee80211com *ic = ni->ni_ic;
++ u_int ielen = 0;
+
+ memset(sr, 0, sizeof(*sr));
+ sr->isr_ssid_len = ni->ni_esslen;
+ if (ni->ni_wpa_ie != NULL)
+- sr->isr_ie_len += 2+ni->ni_wpa_ie[1];
++ ielen += 2+ni->ni_wpa_ie[1];
+ if (ni->ni_wme_ie != NULL)
+- sr->isr_ie_len += 2+ni->ni_wme_ie[1];
++ ielen += 2+ni->ni_wme_ie[1];
++
++ /*
++ * The value sr->isr_ie_len is defined as a uint8_t, so we
++ * need to be careful to avoid an integer overflow. If the
++ * value would overflow, we will set isr_ie_len to zero, and
++ * ieee80211_ioctl_getscanresults (below) will avoid copying
++ * the (overflowing) data.
++ */
++ if (ielen > 255)
++ ielen = 0;
++ sr->isr_ie_len = ielen;
+ sr->isr_len = sizeof(*sr) + sr->isr_ssid_len + sr->isr_ie_len;
+ sr->isr_len = roundup(sr->isr_len, sizeof(u_int32_t));
+ if (ni->ni_chan != IEEE80211_CHAN_ANYC) {
+@@ -1030,11 +1042,11 @@ ieee80211_ioctl_getscanresults(struct ie
+ cp = (u_int8_t *)(sr+1);
+ memcpy(cp, ni->ni_essid, ni->ni_esslen);
+ cp += ni->ni_esslen;
+- if (ni->ni_wpa_ie != NULL) {
++ if (sr->isr_ie_len > 0 && ni->ni_wpa_ie != NULL) {
+ memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
+ cp += 2+ni->ni_wpa_ie[1];
+ }
+- if (ni->ni_wme_ie != NULL) {
++ if (sr->isr_ie_len > 0 && ni->ni_wme_ie != NULL) {
+ memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
+ cp += 2+ni->ni_wme_ie[1];
+ }
Added: trunk/kfreebsd-6/debian/patches/000_kmem60.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_kmem60.diff 2006-02-04 13:38:06 UTC (rev 1126)
+++ trunk/kfreebsd-6/debian/patches/000_kmem60.diff 2006-02-04 13:45:24 UTC (rev 1127)
@@ -0,0 +1,47 @@
+Index: sys/net/if_bridge.c
+===================================================================
+RCS file: /usr/ncvs/src/sys/net/if_bridge.c,v
+retrieving revision 1.11.2.12.2.3
+diff -u -r1.11.2.12.2.3 if_bridge.c
+--- sys/net/if_bridge.c 27 Oct 2005 19:43:07 -0000 1.11.2.12.2.3
++++ sys/net/if_bridge.c 22 Jan 2006 18:22:38 -0000
+@@ -583,6 +583,7 @@
+ break;
+ }
+
++ bzero(&args, sizeof args);
+ if (bc->bc_flags & BC_F_COPYIN) {
+ error = copyin(ifd->ifd_data, &args, ifd->ifd_len);
+ if (error)
+@@ -914,6 +915,7 @@
+
+ count = 0;
+ len = bifc->ifbic_len;
++ bzero(&breq, sizeof breq);
+ LIST_FOREACH(bif, &sc->sc_iflist, bif_next) {
+ if (len < sizeof(breq))
+ break;
+@@ -953,6 +955,7 @@
+ getmicrotime(&tv);
+
+ len = bac->ifbac_len;
++ bzero(&bareq, sizeof bareq);
+ LIST_FOREACH(brt, &sc->sc_rtlist, brt_list) {
+ if (len < sizeof(bareq))
+ goto out;
+Index: sys/net80211/ieee80211_ioctl.c
+===================================================================
+RCS file: /usr/ncvs/src/sys/net80211/ieee80211_ioctl.c,v
+retrieving revision 1.25.2.3.2.1
+diff -u -r1.25.2.3.2.1 ieee80211_ioctl.c
+--- sys/net80211/ieee80211_ioctl.c 18 Jan 2006 09:03:36 -0000 1.25.2.3.2.1
++++ sys/net80211/ieee80211_ioctl.c 22 Jan 2006 18:21:50 -0000
+@@ -884,7 +884,7 @@
+ ieee80211_ioctl_getchanlist(struct ieee80211com *ic, struct ieee80211req *ireq)
+ {
+
+- if (sizeof(ic->ic_chan_active) > ireq->i_len)
++ if (sizeof(ic->ic_chan_active) < ireq->i_len)
+ ireq->i_len = sizeof(ic->ic_chan_active);
+ return copyout(&ic->ic_chan_active, ireq->i_data, ireq->i_len);
+ }
Added: trunk/kfreebsd-6/debian/patches/000_pf.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_pf.diff 2006-02-04 13:38:06 UTC (rev 1126)
+++ trunk/kfreebsd-6/debian/patches/000_pf.diff 2006-02-04 13:45:24 UTC (rev 1127)
@@ -0,0 +1,16 @@
+Index: sys/contrib/pf/net/pf_norm.c
+===================================================================
+RCS file: /home/ncvs/src/sys/contrib/pf/net/pf_norm.c,v
+retrieving revision 1.11.2.2
+diff -u -p -I__FBSDID -r1.11.2.2 pf_norm.c
+--- sys/contrib/pf/net/pf_norm.c 17 Jan 2006 13:05:32 -0000 1.11.2.2
++++ sys/contrib/pf/net/pf_norm.c 22 Jan 2006 16:38:31 -0000
+@@ -818,7 +818,7 @@ pf_fragcache(struct mbuf **m0, struct ip
+ } else {
+ hosed++;
+ }
+- } else {
++ } else if (frp == NULL) {
+ /* There is a gap between fragments */
+ DPFPRINTF(("fragcache[%d]: gap %d %d-%d (%d-%d)\n",
+ h->ip_id, -aftercut, off, max, fra->fr_off,
Reply to: