# HG changeset patch
# User Pascal Bellard <pascal.bellard@slitaz.org>
# Date 1471071892 -7200
# Node ID ccc74276c1934f93af8c0db9ae4ea6cc4c5ae172
# Parent  5f47ce4a9a3460b6969266b2bdd98431438a87ae
linux: CVE-2016-5696

diff -r 5f47ce4a9a34 -r ccc74276c193 linux/receipt
--- a/linux/receipt	Fri Aug 12 09:56:34 2016 +0200
+++ b/linux/receipt	Sat Aug 13 09:04:52 2016 +0200
@@ -224,6 +224,7 @@
 $PACKAGE-subroot.u
 $PACKAGE-romfs.u
 $PACKAGE-hardlinks.u
+$PACKAGE-CVE-2016-5696.u
 aufs3-base.patch
 aufs3-standalone.patch
 aufs3-loopback.patch
diff -r 5f47ce4a9a34 -r ccc74276c193 linux/stuff/linux-CVE-2016-5696.u
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/linux/stuff/linux-CVE-2016-5696.u	Sat Aug 13 09:04:52 2016 +0200
@@ -0,0 +1,33 @@
+http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
+--- linux-3.2.71/net/ipv4/tcp_input.c
++++ linux-3.2.71/net/ipv4/tcp_input.c
+@@ -87,7 +87,7 @@
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+ 
+ /* rfc5961 challenge ack rate limiting */
+-int sysctl_tcp_challenge_ack_limit = 100;
++int sysctl_tcp_challenge_ack_limit = 1000;
+ 
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+@@ -3715,13 +3715,17 @@
+ 	/* unprotected vars, we dont care of overwrites */
+ 	static u32 challenge_timestamp;
+ 	static unsigned int challenge_count;
+-	u32 now = jiffies / HZ;
++	u32 count, now = jiffies / HZ;
+ 
+ 	if (now != challenge_timestamp) {
++		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
+ 		challenge_timestamp = now;
+-		challenge_count = 0;
++		WRITE_ONCE(challenge_count, half +
++			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
+ 	}
+-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++	count = READ_ONCE(challenge_count);
++	if (count > 0) {
++		WRITE_ONCE(challenge_count, count - 1);
+ 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ 		tcp_send_ack(sk);
+ 	}