oss-sec mailing list archives
Re: TCP Fast Open local DoS in some Linux stable branches - Linux kernel
From: cve-assign () mitre org
Date: Sat, 18 Apr 2015 00:09:28 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There is a local DoS triggered by use of the TCP Fast Open option, specific to Linux stable branches, as a result of an incompletely backported bug fix: https://bugs.debian.org/782515 http://thread.gmane.org/gmane.linux.network/359588
The BUG() at the top of tcp_transmit_skb() fires as tcp_skb_pcount(skb) == 0. tcp_send_syn_data() does: memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); Since commit cd7d8498c9a5 ("tcp: change tcp_skb_pcount() location") this is sufficient to set the GSO segment count correctly. But in older branches (< 3.18) the GSO segment count in skb_shared_info is used and is no longer copied by tcp_send_syn_data().
Use CVE-2015-3332. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdepAAoJEKllVAevmvmsVrkH/iNnxP700a67dCy7XLx2Lbab BUwWqUMJlupC0QSNW3cHsr4HVi2uHvzGI9vP/B/f6d+XRA8oh5tAanK+51JoPXr8 6YitBjxjC7FR1/yUDMkoDPYvPxIv9WayieY4iAPZsjDsLf3MouIK9Zf0uW2z7+cs JPRuTVDaQeT58WIin2/ZX/bpQGZgshbGn9jx/8H7AEU/dvkQxb9DyxhCTqXze08I 7vXjd8ZglspFbp6I3el5Z3wdqC1Q+Rrv6VQaZ4xtrSDhOB6o3A/y6aLpZif7HUui iAsRfnSWkegmutRDR0qgDrFPnA45CJoSWD+J+c2Ium6sR+DDDEq9hQ0YMgoxbAo= =tWXA -----END PGP SIGNATURE-----
Current thread:
- TCP Fast Open local DoS in some Linux stable branches Ben Hutchings (Apr 14)
- Re: TCP Fast Open local DoS in some Linux stable branches Ben Hutchings (Apr 15)
- Re: TCP Fast Open local DoS in some Linux stable branches - Linux kernel cve-assign (Apr 17)