wok-next rev 19376

linux: CVE-2016-5696
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat Aug 13 09:04:52 2016 +0200 (2016-08-13)
parents 5f47ce4a9a34
children 707e4ea3a113
files linux/receipt linux/stuff/linux-CVE-2016-5696.u
line diff
     1.1 --- a/linux/receipt	Fri Aug 12 09:56:34 2016 +0200
     1.2 +++ b/linux/receipt	Sat Aug 13 09:04:52 2016 +0200
     1.3 @@ -224,6 +224,7 @@
     1.4  $PACKAGE-subroot.u
     1.5  $PACKAGE-romfs.u
     1.6  $PACKAGE-hardlinks.u
     1.7 +$PACKAGE-CVE-2016-5696.u
     1.8  aufs3-base.patch
     1.9  aufs3-standalone.patch
    1.10  aufs3-loopback.patch
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/linux/stuff/linux-CVE-2016-5696.u	Sat Aug 13 09:04:52 2016 +0200
     2.3 @@ -0,0 +1,33 @@
     2.4 +http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
     2.5 +--- linux-3.2.71/net/ipv4/tcp_input.c
     2.6 ++++ linux-3.2.71/net/ipv4/tcp_input.c
     2.7 +@@ -87,7 +87,7 @@
     2.8 + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
     2.9 + 
    2.10 + /* rfc5961 challenge ack rate limiting */
    2.11 +-int sysctl_tcp_challenge_ack_limit = 100;
    2.12 ++int sysctl_tcp_challenge_ack_limit = 1000;
    2.13 + 
    2.14 + int sysctl_tcp_stdurg __read_mostly;
    2.15 + int sysctl_tcp_rfc1337 __read_mostly;
    2.16 +@@ -3715,13 +3715,17 @@
    2.17 + 	/* unprotected vars, we dont care of overwrites */
    2.18 + 	static u32 challenge_timestamp;
    2.19 + 	static unsigned int challenge_count;
    2.20 +-	u32 now = jiffies / HZ;
    2.21 ++	u32 count, now = jiffies / HZ;
    2.22 + 
    2.23 + 	if (now != challenge_timestamp) {
    2.24 ++		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
    2.25 + 		challenge_timestamp = now;
    2.26 +-		challenge_count = 0;
    2.27 ++		WRITE_ONCE(challenge_count, half +
    2.28 ++			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
    2.29 + 	}
    2.30 +-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
    2.31 ++	count = READ_ONCE(challenge_count);
    2.32 ++	if (count > 0) {
    2.33 ++		WRITE_ONCE(challenge_count, count - 1);
    2.34 + 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
    2.35 + 		tcp_send_ack(sk);
    2.36 + 	}