From 017cb84224efec734d2310170763decdb45bd43c Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Nov 14 2013 19:36:25 +0000
Subject: CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)


---

diff --git a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
new file mode 100644
index 0000000..aaf6f42
--- /dev/null
+++ b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
@@ -0,0 +1,40 @@
+From 0e033e04c2678dbbe74a46b23fffb7bb918c288e Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 5 Nov 2013 02:41:27 +0100
+Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
+
+Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+fragmentation for tunnel traffic.") changed the calculation if
+there is enough space to include a fragment header in the skb from a
+skb->mac_header dervived one to skb_headroom. Because we already peeled
+off the skb to transport_header this is wrong. Change this back to check
+if we have enough room before the mac_header.
+
+This fixes a panic Saran Neti reported. He used the tbf scheduler which
+skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+because the skb was erroneously not expanded at the head.
+
+Reported-by: Saran Neti <Saran.Neti@telus.com>
+Cc: Pravin B Shelar <pshelar@nicira.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 08e23b0..e7359f9 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -90,7 +90,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ 
+ 		/* Check if there is enough headroom to insert fragment header. */
+ 		tnl_hlen = skb_tnl_header_len(skb);
+-		if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
++		if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
+ 			if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+ 				goto out;
+ 		}
+-- 
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index 3a980ff..4c8b3b4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -742,6 +742,9 @@ Patch25140: drm-qxl-backport-fixes-for-Fedora.patch
 
 Patch25141: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1452,6 +1455,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
 
 ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2255,6 +2261,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Thu Nov 14 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
+
 * Sat Nov 09 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-2
 - Add patch from Daniel Stone to avoid high order allocations in evdev
 - Add qxl backport fixes from Dave Airlie