r1122 - in trunk/kfreebsd-5/debian: . patches

To: debian-bsd@lists.debian.org
Subject: r1122 - in trunk/kfreebsd-5/debian: . patches
From: Aurelien Jarno <aurel32@costa.debian.org>
Date: Fri, 03 Feb 2006 17:11:20 +0000
Message-id: <E1F54Su-0004ZY-6b@costa.debian.org>

Author: aurel32
Date: 2006-02-03 17:11:18 +0000 (Fri, 03 Feb 2006)
New Revision: 1122

Added:
   trunk/kfreebsd-5/debian/patches/000_sack.diff
Modified:
   trunk/kfreebsd-5/debian/changelog
Log:
  * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
    CVE-2006-0433).



Modified: trunk/kfreebsd-5/debian/changelog
===================================================================
--- trunk/kfreebsd-5/debian/changelog	2006-02-02 12:59:35 UTC (rev 1121)
+++ trunk/kfreebsd-5/debian/changelog	2006-02-03 17:11:18 UTC (rev 1122)
@@ -1,3 +1,11 @@
+kfreebsd-5 (5.4-13) unstable; urgency=high
+
+  * Urgency set to high as this fixes a security bug.
+  * Fix an infinite loop in SACK handling (FreeBSD-SA-06:08.sack /
+    CVE-2006-0433).
+
+ -- Aurelien Jarno <aurel32@debian.org>  Fri,  3 Feb 2006 17:50:38 +0100
+
 kfreebsd-5 (5.4-12) unstable; urgency=low
 
   * Recommends libc0.1-i686 in kfreebsd-image*, not kfreebsd-headers* 

Added: trunk/kfreebsd-5/debian/patches/000_sack.diff
===================================================================
--- trunk/kfreebsd-5/debian/patches/000_sack.diff	2006-02-02 12:59:35 UTC (rev 1121)
+++ trunk/kfreebsd-5/debian/patches/000_sack.diff	2006-02-03 17:11:18 UTC (rev 1122)
@@ -0,0 +1,24 @@
+Index: sys/netinet/tcp_sack.c
+===================================================================
+RCS file: /home/ncvs/src/sys/netinet/tcp_sack.c,v
+retrieving revision 1.3
+diff -u -p -I__FBSDID -r1.3 tcp_sack.c
+--- sys/netinet/tcp_sack.c	17 Aug 2004 22:05:54 -0000	1.3
++++ sys/netinet/tcp_sack.c	26 Jan 2006 15:18:05 -0000
+@@ -301,6 +301,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+ 		tp->snd_numholes = 0;
+ 	if (tp->t_maxseg == 0)
+ 		panic("tcp_sack_option"); /* Should never happen */
++next_block:
+ 	while (tmp_olen > 0) {
+ 		struct sackblk sack;
+ 
+@@ -390,7 +391,7 @@ tcp_sack_option(struct tcpcb *tp, struct
+ 				temp = (struct sackhole *)
+ 					uma_zalloc(sack_hole_zone,M_NOWAIT);
+ 				if (temp == NULL)
+-					continue; /* ENOBUFS */
++					goto next_block; /* ENOBUFS */
+ 				temp->next = cur->next;
+ 				temp->start = sack.end;
+ 				temp->end = cur->end;

Reply to:

Prev by Date: Re: rename CPU exception macros (was: Re: [PATCH] GNU/kFreeBSD port)
Next by Date: Processing of kfreebsd-5_5.4-13_i386.changes
Previous by thread: Re: new patch (GNU/kFreeBSD port)
Next by thread: Processing of kfreebsd-5_5.4-13_i386.changes
Index(es):
- Date
- Thread