linux/net/ipv6
Solar Designer 2c8ac66bb2 [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)
Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.

Signed-off-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19 02:16:52 -07:00
..
netfilter [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039) 2006-05-19 02:16:52 -07:00
addrconf.c [PATCH] Notifier chain update: API changes 2006-03-27 08:44:50 -08:00
af_inet6.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
ah6.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00
anycast.c [IPV6]: Nearly complete kzalloc cleanup for net/ipv6 2006-03-20 23:01:32 -08:00
datagram.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
esp6.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00
exthdrs_core.c [SELINUX]: Fix ipv6_skip_exthdr() invocation causing OOPS. 2005-04-24 20:16:19 -07:00
exthdrs.c [IPV6]: Clean up hop-by-hop options handler. 2006-04-18 15:57:53 -07:00
icmp.c [PATCH] for_each_possible_cpu: network codes 2006-04-11 06:18:31 -07:00
inet6_connection_sock.c [IPV6]: skb leakage in inet6_csk_xmit 2006-05-10 13:24:38 -07:00
inet6_hashtables.c [IPV6]: Deinline few large functions in inet6 code 2006-04-09 22:48:59 -07:00
ip6_fib.c [IPV6]: ROUTE: Eliminate lock for default route pointer. 2006-03-20 17:00:26 -08:00
ip6_flowlabel.c [IPV6]: Nearly complete kzalloc cleanup for net/ipv6 2006-03-20 23:01:32 -08:00
ip6_input.c [IPV6]: Clean up hop-by-hop options handler. 2006-04-18 15:57:53 -07:00
ip6_output.c [IPV6]: ip6_xmit: remove unnecessary NULL ptr check 2006-03-23 01:17:25 -08:00
ip6_tunnel.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
ipcomp6.c [PATCH] for_each_possible_cpu: network codes 2006-04-11 06:18:31 -07:00
ipv6_sockglue.c [NETFILTER]: Fix ip6tables breakage from {get,set}sockopt compat layer 2006-03-22 13:53:20 -08:00
ipv6_syms.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
Kconfig [INET]: Introduce tunnel4/tunnel6 2006-03-28 17:02:46 -08:00
Makefile [INET]: Introduce tunnel4/tunnel6 2006-03-28 17:02:46 -08:00
mcast.c [IPV6]: Nearly complete kzalloc cleanup for net/ipv6 2006-03-20 23:01:32 -08:00
ndisc.c [IPV6]: ROUTE: Add accept_ra_rt_info_max_plen sysctl. 2006-03-20 17:07:03 -08:00
netfilter.c [NETFILTER]: Fix build with CONFIG_NETFILTER=y/m on IA64 2006-04-09 22:25:49 -07:00
proc.c [PATCH] for_each_possible_cpu: network codes 2006-04-11 06:18:31 -07:00
protocol.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
raw.c [IPV6]: Nearly complete kzalloc cleanup for net/ipv6 2006-03-20 23:01:32 -08:00
reassembly.c [IPv6] reassembly: Always compute hash under the fragment lock. 2006-04-11 17:21:05 -07:00
route.c [IPV6]: Fix race in route selection. 2006-04-29 18:33:22 -07:00
sit.c [INET]: Use port unreachable instead of proto for tunnels 2006-04-09 22:25:29 -07:00
sysctl_net_ipv6.c [NET]: Fix sparse warnings 2005-08-29 16:01:32 -07:00
tcp_ipv6.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
tunnel6.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
udp.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
xfrm6_input.c [IPSEC]: Kill unused decap state structure 2006-04-01 00:54:16 -08:00
xfrm6_output.c [NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder 2006-01-07 12:57:33 -08:00
xfrm6_policy.c [IPV6] XFRM: Fix decoding session with preceding extension header(s). 2006-04-18 15:57:52 -07:00
xfrm6_state.c [XFRM]: IPsec tunnel wildcard address support 2006-01-13 14:34:36 -08:00
xfrm6_tunnel.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00