Message ID | 1327337237-3710-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 01/23/2012 09:47 AM, Andy Whitcroft wrote: > From: Ben Hutchings<ben@decadent.org.uk> > > Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP > behavior on v3 query during v2-compatibility mode') added yet another > case for query parsing, which can result in max_delay = 0. Substitute > a value of 1, as in the usual v3 case. > > Reported-by: Simon McVittie<smcv@debian.org> > References: http://bugs.debian.org/654876 > Signed-off-by: Ben Hutchings<ben@decadent.org.uk> > Signed-off-by: David S. Miller<davem@davemloft.net> > > (cherry picked from commit a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27) > CVE-2012-0207 > BugLink: http://bugs.launchpad.net/bugs/917848 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > net/ipv4/igmp.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c > index d9d5130..f574cf6 100644 > --- a/net/ipv4/igmp.c > +++ b/net/ipv4/igmp.c > @@ -892,6 +892,8 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, > * to be intended in a v3 query. > */ > max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); > + if (!max_delay) > + max_delay = 1; /* can't mod w/ 0 */ > } else { /* v3 */ > if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) > return;
On 23.01.2012 17:47, Andy Whitcroft wrote: > From: Ben Hutchings <ben@decadent.org.uk> > > Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP > behavior on v3 query during v2-compatibility mode') added yet another > case for query parsing, which can result in max_delay = 0. Substitute > a value of 1, as in the usual v3 case. > > Reported-by: Simon McVittie <smcv@debian.org> > References: http://bugs.debian.org/654876 > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27) > CVE-2012-0207 > BugLink: http://bugs.launchpad.net/bugs/917848 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/ipv4/igmp.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c > index d9d5130..f574cf6 100644 > --- a/net/ipv4/igmp.c > +++ b/net/ipv4/igmp.c > @@ -892,6 +892,8 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, > * to be intended in a v3 query. > */ > max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); > + if (!max_delay) > + max_delay = 1; /* can't mod w/ 0 */ > } else { /* v3 */ > if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) > return;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index d9d5130..f574cf6 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -892,6 +892,8 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, * to be intended in a v3 query. */ max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); + if (!max_delay) + max_delay = 1; /* can't mod w/ 0 */ } else { /* v3 */ if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) return;