From: Thomas Graf <tgraf@redhat.com> Subject: [RHEL5.0 BZ234288]: CVE-2007-1497 IPv6 fragments bypass in nf_conntrack netfilter code Date: Thu, 3 May 2007 14:03:14 +0200 Bugzilla: 234288 Message-Id: <20070503120314.GB4398@lsx.localdomain> Changelog: [net] IPv6 fragments bypass in nf_conntrack netfilter code Fixes IPv6 fragments bypass issue in the conntracking code. The patch has been merged into the stable tree already. Please ACK. commit 868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 Author: Patrick McHardy <kaber@trash.net> nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Index: linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c =================================================================== --- linux-2.6.18.noarch.orig/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2006-09-20 05:42:06.000000000 +0200 +++ linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2007-05-02 22:26:11.000000000 +0200 @@ -264,6 +264,7 @@ static unsigned int ipv6_conntrack_in(un } nf_conntrack_get(reasm->nfct); (*pskb)->nfct = reasm->nfct; + (*pskb)->nfctinfo = reasm->nfctinfo; return NF_ACCEPT; }