[pve-kernel.git] / CVE-2017-9075-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch

From eaa390df0e82e771601fa68482c4f022674e904f Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 17 May 2017 07:16:40 -0700
Subject: [PATCH] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
ipv6_mc_list from parent"), otherwise bad things can happen.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-9075

(cherry-picked from fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 net/sctp/ipv6.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 64dfd35ccdcc..ef0ed6bb71e9 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -666,6 +666,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
 	newnp = inet6_sk(newsk);
 
 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+	newnp->ipv6_mc_list = NULL;
+	newnp->ipv6_ac_list = NULL;
+	newnp->ipv6_fl_list = NULL;
 
 	rcu_read_lock();
 	opt = rcu_dereference(np->opt);
-- 
2.11.0
Commit	Line	Data
0f831b3c FG	1	From eaa390df0e82e771601fa68482c4f022674e904f Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Wed, 17 May 2017 07:16:40 -0700
	4	Subject: [PATCH] sctp: do not inherit ipv6_{mc\|ac\|fl}_list from parent
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
	10	ipv6_mc_list from parent"), otherwise bad things can happen.
	11
	12	Signed-off-by: Eric Dumazet <edumazet@google.com>
	13	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	14	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	15	Signed-off-by: David S. Miller <davem@davemloft.net>
	16
	17	CVE-2017-9075
	18
	19	(cherry-picked from fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8)
	20	Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
	21	Acked-by: Colin King <colin.king@canonical.com>
	22	Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
	23	Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	24
	25	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	26	---
	27	net/sctp/ipv6.c \| 3 +++
	28	1 file changed, 3 insertions(+)
	29
	30	diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
	31	index 64dfd35ccdcc..ef0ed6bb71e9 100644
	32	--- a/net/sctp/ipv6.c
	33	+++ b/net/sctp/ipv6.c
	34	@@ -666,6 +666,9 @@ static struct sock sctp_v6_create_accept_sk(struct sock sk,
	35	newnp = inet6_sk(newsk);
	36
	37	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
	38	+ newnp->ipv6_mc_list = NULL;
	39	+ newnp->ipv6_ac_list = NULL;
	40	+ newnp->ipv6_fl_list = NULL;
	41
	42	rcu_read_lock();
	43	opt = rcu_dereference(np->opt);
	44	--
	45	2.11.0
	46