Linux 2.6.18.4

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Linux 2.6.18.4
@ 2006-11-29 19:51 Chris Wright
  2006-11-29 19:52 ` Chris Wright
  0 siblings, 1 reply; 2+ messages in thread
From: Chris Wright @ 2006-11-29 19:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Andrew Morton, torvalds, stable

We (the -stable team) are announcing the release of the 2.6.18.4 kernel.
This has just a single security fix (CVE-2006-5751) for the network
bridge code in it.  An unprivileged local user could potentially write
to kernel memory without this fix.

The diffstat and short summary of the fixes are below.

I'll also be replying to this message with a copy of the patch between
2.6.18.3 and 2.6.18.4, as it is small enough to do so.
                                                                                
The updated 2.6.18.y git tree can be found at:                                  
        git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.18.y.git 
and can be browsed at the normal kernel.org git web browser:                    
        www.kernel.org/git/                                                     

thanks,
-chris

--------

 Makefile              |    2 +-
 net/bridge/br_ioctl.c |    9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

Summary of changes from v2.6.18.3 to v2.6.18.4
============================================

Chris Wright:
      bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)
      Linux 2.6.18.4

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Linux 2.6.18.4
  2006-11-29 19:51 Linux 2.6.18.4 Chris Wright
@ 2006-11-29 19:52 ` Chris Wright
  0 siblings, 0 replies; 2+ messages in thread
From: Chris Wright @ 2006-11-29 19:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Andrew Morton, torvalds, stable

diff --git a/Makefile b/Makefile
index 9eda185..d026088 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 18
-EXTRAVERSION = .3
+EXTRAVERSION = .4
 NAME=Avast! A bilge rat!
 
 # *DOCUMENTATION*
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 4e4119a..4c61a7e 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_br
 {
 	int num;
 	void *buf;
-	size_t size = maxnum * sizeof(struct __fdb_entry);
+	size_t size;
 
-	if (size > PAGE_SIZE) {
-		size = PAGE_SIZE;
+	/* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
+	if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
 		maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
-	}
+
+	size = maxnum * sizeof(struct __fdb_entry);
 
 	buf = kmalloc(size, GFP_USER);
 	if (!buf)

^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-11-29 19:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-29 19:51 Linux 2.6.18.4 Chris Wright
2006-11-29 19:52 ` Chris Wright

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox