oss-sec mailing list archives

Re: TCP Fast Open local DoS in some Linux stable branches - Linux kernel

From: cve-assign () mitre org
Date: Sat, 18 Apr 2015 00:09:28 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a local DoS triggered by use of the TCP Fast Open option,
specific to Linux stable branches, as a result of an incompletely
backported bug fix:

https://bugs.debian.org/782515
http://thread.gmane.org/gmane.linux.network/359588

The BUG() at the top of
tcp_transmit_skb() fires as tcp_skb_pcount(skb) == 0.

tcp_send_syn_data() does:

        memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));

Since commit cd7d8498c9a5 ("tcp: change tcp_skb_pcount() location") this
is sufficient to set the GSO segment count correctly. But in older
branches (< 3.18) the GSO segment count in skb_shared_info is used and
is no longer copied by tcp_send_syn_data().


Use CVE-2015-3332.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMdepAAoJEKllVAevmvmsVrkH/iNnxP700a67dCy7XLx2Lbab
BUwWqUMJlupC0QSNW3cHsr4HVi2uHvzGI9vP/B/f6d+XRA8oh5tAanK+51JoPXr8
6YitBjxjC7FR1/yUDMkoDPYvPxIv9WayieY4iAPZsjDsLf3MouIK9Zf0uW2z7+cs
JPRuTVDaQeT58WIin2/ZX/bpQGZgshbGn9jx/8H7AEU/dvkQxb9DyxhCTqXze08I
7vXjd8ZglspFbp6I3el5Z3wdqC1Q+Rrv6VQaZ4xtrSDhOB6o3A/y6aLpZif7HUui
iAsRfnSWkegmutRDR0qgDrFPnA45CJoSWD+J+c2Ium6sR+DDDEq9hQ0YMgoxbAo=
=tWXA
-----END PGP SIGNATURE-----

Current thread:

TCP Fast Open local DoS in some Linux stable branches Ben Hutchings (Apr 14)
- Re: TCP Fast Open local DoS in some Linux stable branches Ben Hutchings (Apr 15)
- Re: TCP Fast Open local DoS in some Linux stable branches - Linux kernel cve-assign (Apr 17)