| Message ID | 20120109220428.GS20752@decadent.org.uk |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Ben Hutchings <ben@decadent.org.uk> Date: Mon, 9 Jan 2012 22:04:28 +0000 > Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP > behavior on v3 query during v2-compatibility mode') added yet another > case for query parsing, which can result in max_delay = 0. Substitute > a value of 1, as in the usual v3 case. > > Reported-by: Simon McVittie <smcv@debian.org> > References: http://bugs.debian.org/654876 > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Applied and queued up for -stable, thanks Ben. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 2012-01-09 at 22:04 +0000, Ben Hutchings wrote: > Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP > behavior on v3 query during v2-compatibility mode') added yet another > case for query parsing, which can result in max_delay = 0. Substitute > a value of 1, as in the usual v3 case. This has been assigned CVE-2012-0207. Ben. > Reported-by: Simon McVittie <smcv@debian.org> > References: http://bugs.debian.org/654876 > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > --- > net/ipv4/igmp.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c > index d577199..e0d42db 100644 > --- a/net/ipv4/igmp.c > +++ b/net/ipv4/igmp.c > @@ -875,6 +875,8 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, > * to be intended in a v3 query. > */ > max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); > + if (!max_delay) > + max_delay = 1; /* can't mod w/ 0 */ > } else { /* v3 */ > if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) > return;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index d577199..e0d42db 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -875,6 +875,8 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, * to be intended in a v3 query. */ max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); + if (!max_delay) + max_delay = 1; /* can't mod w/ 0 */ } else { /* v3 */ if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) return;
Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP behavior on v3 query during v2-compatibility mode') added yet another case for query parsing, which can result in max_delay = 0. Substitute a value of 1, as in the usual v3 case. Reported-by: Simon McVittie <smcv@debian.org> References: http://bugs.debian.org/654876 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> --- net/ipv4/igmp.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)