oss-sec mailing list archives
Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS)
From: Eugene Teo <eugene () redhat com>
Date: Wed, 31 Mar 2010 09:20:02 +0800
On 03/31/2010 03:38 AM, Steven M. Christey wrote:
On Mon, 29 Mar 2010, Eugene Teo wrote:Upstream commit: http://git.kernel.org/linus/fb7e2399ec17f1004c0e0ccfd17439f8759ede01I'm not clear on the role of ipv6 here. The affected code is in ipv4/tcp_input.c and there's no mention of tcp_v6_conn_request() there.
To trigger this issue, the server actually needs to do something like: if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &on, ...)) { on the listening socket.tcp_rcv_state_process() is in ipv4/tcp_input.c but was called in net/ipv6/tcp_ipv6.c.
I'm guessing this was fixed in Linux 2.6.20.
v2.6.20-rc6
Arguably this could have been given a 2007 ID, but the patch didn't clearly label the problem as a security issue, so I will treat Eugene's request as the first widely-public disclosure - thus a 2010 date. Use CVE-2010-1188
Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Eugene Teo (Mar 28)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Steven M. Christey (Mar 30)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Eugene Teo (Mar 30)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Steven M. Christey (Mar 30)