blob: 08a09c4a25fd0563a427a44e8f3fa2455a296329 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
Candidate: CVE-2006-1242
References:
http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a55d57b107c3e06935763905dc0fb235214569d
Description:
[TCP]: Do not use inet->id of global tcp_socket when sending RST.
.
The problem is in ip_push_pending_frames(), which uses:
. if (!df) {
. __ip_select_ident(iph, &rt->u.dst, 0);
. } else {
. iph->id = htons(inet->id++);
. }
.
instead of ip_select_ident().
.
Right now I think the code is a nonsense. Most likely, I copied it from
old ip_build_xmit(), where it was really special, we had to decide
whether to generate unique ID when generating the first (well, the last)
fragment.
.
In ip_push_pending_frames() it does not make sense, it should use plain
ip_select_ident() instead.
Notes:
jmm> 2.4 doesn't seem to be affected, but I'd prefer a second look before
jmm> marking it N/A
.
dannf> troyh gave me a patch for 2.4, so I guess it is affected
Bugs:
upstream: released (2.6.16.1)
linux-2.6: released (2.6.16-4)
2.6.8-sarge-security: released (2.6.8-16sarge3)
2.4.27-sarge-security: released (2.4.27-10sarge3)
2.4.19-woody-security:
2.4.18-woody-security:
2.4.17-woody-security:
2.4.16-woody-security:
2.4.17-woody-security-hppa:
2.4.17-woody-security-ia64:
|
