We (the -stable team) are announcing the release of the 2.6.16.18
kernel. Fix for possible Netfilter SNMP NAT remote DoS (CVE-2006-2444).
The diffstat and short summary of the fixes are below.
I'll also be replying to this message with a copy of the patch between
2.6.16.17 and 2.6.16.18, as it is small enough to do so.
The updated 2.6.16.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.16.y.git
and can be browsed at the normal kernel.org git web browser:
http://www.kernel.org/git/
thanks,
-chris
--------
Makefile | 2 +-
net/ipv4/netfilter/ip_nat_snmp_basic.c | 15 +++++++--------
2 files changed, 8 insertions(+), 9 deletions(-)
Summary of changes from v2.6.16.17 to v2.6.16.18
================================================
Chris Wright:
Linux 2.6.16.18
Patrick McHardy:
NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
diff --git a/Makefile b/Makefile
index ce59d4b..2567664 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 16
-EXTRAVERSION = .17
+EXTRAVERSION = .18
NAME=Sliding Snow Leopard
# *DOCUMENTATION*
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 4f95d47..df57e7a 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st
return 1;
+err_addr_free:
+ kfree((unsigned long *)trap->ip_address);
+
err_id_free:
kfree(trap->id);
-err_addr_free:
- kfree((unsigned long *)trap->ip_address);
-
return 0;
}
@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch
struct snmp_v1_trap trap;
unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
- /* Discard trap allocations regardless */
- kfree(trap.id);
- kfree((unsigned long *)trap.ip_address);
-
- if (!ret)
+ if (ret) {
+ kfree(trap.id);
+ kfree((unsigned long *)trap.ip_address);
+ } else
return ret;
} else {