From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff King Subject: Re: Fwd: [postmaster@vger.kernel.org: Delivery reports about your email [FAILED(1)]] Date: Sat, 17 Nov 2007 04:06:34 -0500 Message-ID: <20071117090634.GA22352@sigill.intra.peff.net> References: <20071116183530.GI6372@mea-ext.zmailer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: git@vger.kernel.org To: Matti Aarnio X-From: git-owner@vger.kernel.org Sat Nov 17 10:09:57 2007 Return-path: Envelope-to: gcvg-git-2@gmane.org Received: from vger.kernel.org ([209.132.176.167]) by lo.gmane.org with esmtp (Exim 4.50) id 1ItJgZ-00074c-97 for gcvg-git-2@gmane.org; Sat, 17 Nov 2007 10:09:55 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750963AbXKQJGp convert rfc822-to-quoted-printable (ORCPT ); Sat, 17 Nov 2007 04:06:45 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752225AbXKQJGp (ORCPT ); Sat, 17 Nov 2007 04:06:45 -0500 Received: from 66-23-211-5.clients.speedfactory.net ([66.23.211.5]:2381 "EHLO peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750892AbXKQJGl (ORCPT ); Sat, 17 Nov 2007 04:06:41 -0500 Received: (qmail 2466 invoked by uid 111); 17 Nov 2007 09:06:38 -0000 Received: from ppp-216-106-96-70.storm.ca (HELO sigill.intra.peff.net) (216.106.96.70) (smtp-auth username relayok, mechanism cram-md5) by peff.net (qpsmtpd/0.32) with ESMTP; Sat, 17 Nov 2007 04:06:38 -0500 Received: by sigill.intra.peff.net (sSMTP sendmail emulation); Sat, 17 Nov 2007 04:06:34 -0500 Content-Disposition: inline In-Reply-To: <20071116183530.GI6372@mea-ext.zmailer.org> Sender: git-owner@vger.kernel.org Precedence: bulk X-Mailing-List: git@vger.kernel.org Archived-At: On Fri, Nov 16, 2007 at 08:35:30PM +0200, Matti Aarnio wrote: > Here is a sample message that NEEDS proper charset mime tags. Thank you for posting a complete example. However, I'm not sure that git is to blame here. The problem text seems to be "Ilpo J=E4rvinen ". However, that text seems to be included in a regular mail sent by gregkh. I see no evidenc= e of git-send-email being used (neither an X-Mailer, nor any message-id which would have been generated by it). It looks like the culprit is whatever he is using to generate the stable-commit response. I'll note a few things below (sorry, the quotin= g is long, but I don't want to omit any details): > Following is copy of the message headers. Original message content ma= y > be in subsequent parts of this MESSAGE/DELIVERY-STATUS structure. >=20 > Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpa= nd > id S1751399AbXKPSJk; Fri, 16 Nov 2007 13:09:40 -0500 > Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756649A= bXKPSJk > (ORCPT ); > Fri, 16 Nov 2007 13:09:40 -0500 > Received: from ns2.suse.de ([195.135.220.15]:33829 "EHLO mx2.suse.de" > rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP > id S1751399AbXKPSJj (ORCPT ); > Fri, 16 Nov 2007 13:09:39 -0500 > Received: from Relay2.suse.de (mail2.suse.de [195.135.221.8]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by mx2.suse.de (Postfix) with ESMTP id 142E02BDB9; > Fri, 16 Nov 2007 19:09:38 +0100 (CET) > Subject: patch tcp-make-sure-write_queue_from-does-not-begin-with-nul= l-ptr.patch queued to -stable tree > To: ilpo.jarvinen@helsinki.fi, davem@davemloft.net > Cc: , > From: > Date: Fri, 16 Nov 2007 10:08:58 -0800 > Message-Id: <20071116180937.250A0144AB0C@imap.suse.de> > Sender: stable-commits-owner@vger.kernel.org > Precedence: bulk > Reply-To: linux-kernel@vger.kernel.org > X-Mailing-List: stable-commits@vger.kernel.org This is presumably the complete header for the rejected message. I agre= e this ought to have a content-type header, but it clearly wasn't sent by git-send-email. Presumably there is some post-receive hook that is doing this, but it's hard to say more without seeing the hook. > Reporting-MTA: dns; vger.kernel.org > Arrival-Date: Fri, 16 Nov 2007 13:09:40 -0500 > Local-Spool-ID: S1751399AbXKPSJk >=20 > Original-Recipient: rfc822;jfunk@funktronics.ca > Final-Recipient: RFC822;jfunk@funktronics.ca > Action: failed > Status: 5.1.1 (bad destination mailbox) > Remote-MTA: dns; elseed.funktronics.ca (65.61.206.36|25|209.132.176.1= 67|48741) > Last-Attempt-Date: Fri, 16 Nov 2007 13:10:02 -0500 > Diagnostic-Code: smtp; 550 (Error: improper use of 8-bit data in mess= age body) > Date: Fri, 16 Nov 2007 10:08:58 -0800 > From: gregkh@suse.de > To: ilpo.jarvinen@helsinki.fi, davem@davemloft.net > Cc: stable@kernel.org, stable-commits@vger.kernel.org > Reply-To: linux-kernel@vger.kernel.org > Subject: patch > tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch > queued to -stable tree >=20 >=20 > This is a note to let you know that we have just queued up the patch = titled >=20 > Subject: TCP: Make sure write_queue_from does not begin with NUL= L ptr (CVE-2007-5501) >=20 > to the 2.6.23-stable tree. Its filename is >=20 > tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patc= h >=20 > A git repo of this tree can be found at=20 > http://www.kernel.org/git/?p=3Dlinux/kernel/git/stable/stable-que= ue.git;a=3Dsummary >=20 >=20 > >From 96a2d41a3e495734b63bff4e5dd0112741b93b38 Mon Sep 17 00:00:00 20= 01 > From: Ilpo J=E4rvinen > Date: Wed, 14 Nov 2007 15:47:18 -0800 > Subject: TCP: Make sure write_queue_from does not begin with NULL ptr= (CVE-2007-5501) >=20 > From: Ilpo J=E4rvinen And this is clearly generated by git-format-patch. The signed-off-by requires a charset specifier. This was fixed by Junio in 4593fb84 about 2 weeks ago, but hasn't made it into a released version yet. The extra 'From' line in the body of the email is not something generated by git-format-patch. Usually such lines are placed by git-send-email, and would require encoding; we just queued a fix for that yesterday. However, I don't see any other evidence of git-send-email being used here, so it looks more like whatever script generated the outer mail just called git-format-patch. > patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline. >=20 > NULL ptr can be returned from tcp_write_queue_head to cached_skb > and then assigned to skb if packets_out was zero. Without this, > system is vulnerable to a carefully crafted ACKs which obviously > is remotely triggerable. >=20 > Besides, there's very little that needs to be done in sacktag > if there weren't any packets outstanding, just skipping the rest > doesn't hurt. >=20 > Signed-off-by: Ilpo J=E4rvinen > Signed-off-by: David S. Miller >=20 > --- > net/ipv4/tcp_input.c | 5 +++++ > 1 file changed, 5 insertions(+) >=20 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -1012,6 +1012,9 @@ tcp_sacktag_write_queue(struct sock *sk, > if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_wi= ndow)) > return 0; > =20 > + if (!tp->packets_out) > + goto out; > + > /* SACK fastpath: > * if the only SACK change is the increase of the end_seq of > * the first block then only apply that SACK block > @@ -1280,6 +1283,8 @@ tcp_sacktag_write_queue(struct sock *sk, > (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark))) > tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0); > =20 > +out: > + > #if FASTRETRANS_DEBUG > 0 > BUG_TRAP((int)tp->sacked_out >=3D 0); > BUG_TRAP((int)tp->lost_out >=3D 0); >=20 >=20 > Patches currently in stable-queue which might be from ilpo.jarvinen@h= elsinki.fi are >=20 > queue-2.6.23/tcp-make-sure-write_queue_from-does-not-begin-with-null-= ptr.patch > - > To unsubscribe from this list: send the line "unsubscribe stable-comm= its" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html