mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-23 18:07:03 +00:00
a612769774
If socket filter truncates an udp packet below the length of UDP header
in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
kernel is configured that way) can be easily enforced by an unprivileged
user which was reported as CVE-2016-6162. For a reproducer, see
http://seclists.org/oss-sec/2016/q3/8
Fixes:
|
||
---|---|---|
.. | ||
ila | ||
netfilter | ||
addrconf_core.c | ||
addrconf.c | ||
addrlabel.c | ||
af_inet6.c | ||
ah6.c | ||
anycast.c | ||
datagram.c | ||
esp6.c | ||
exthdrs_core.c | ||
exthdrs_offload.c | ||
exthdrs.c | ||
fib6_rules.c | ||
fou6.c | ||
icmp.c | ||
inet6_connection_sock.c | ||
inet6_hashtables.c | ||
ip6_checksum.c | ||
ip6_fib.c | ||
ip6_flowlabel.c | ||
ip6_gre.c | ||
ip6_icmp.c | ||
ip6_input.c | ||
ip6_offload.c | ||
ip6_offload.h | ||
ip6_output.c | ||
ip6_tunnel.c | ||
ip6_udp_tunnel.c | ||
ip6_vti.c | ||
ip6mr.c | ||
ipcomp6.c | ||
ipv6_sockglue.c | ||
Kconfig | ||
Makefile | ||
mcast_snoop.c | ||
mcast.c | ||
mip6.c | ||
ndisc.c | ||
netfilter.c | ||
output_core.c | ||
ping.c | ||
proc.c | ||
protocol.c | ||
raw.c | ||
reassembly.c | ||
route.c | ||
sit.c | ||
syncookies.c | ||
sysctl_net_ipv6.c | ||
tcp_ipv6.c | ||
tcpv6_offload.c | ||
tunnel6.c | ||
udp_impl.h | ||
udp_offload.c | ||
udp.c | ||
udplite.c | ||
xfrm6_input.c | ||
xfrm6_mode_beet.c | ||
xfrm6_mode_ro.c | ||
xfrm6_mode_transport.c | ||
xfrm6_mode_tunnel.c | ||
xfrm6_output.c | ||
xfrm6_policy.c | ||
xfrm6_protocol.c | ||
xfrm6_state.c | ||
xfrm6_tunnel.c |