From 67ce21f87516f12b26b6898fc625fa7d8820072c Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Nov 14 2013 19:39:23 +0000
Subject: CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)


---

diff --git a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
new file mode 100644
index 0000000..2b03038
--- /dev/null
+++ b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
@@ -0,0 +1,43 @@
+Bugzilla: 1030015 1030017
+Upstream-status: 3.13
+
+From aeb45260747b0a1bf4d374d5e65298cc254cb4f5 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 5 Nov 2013 02:41:27 +0100
+Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
+
+Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+fragmentation for tunnel traffic.") changed the calculation if
+there is enough space to include a fragment header in the skb from a
+skb->mac_header dervived one to skb_headroom. Because we already peeled
+off the skb to transport_header this is wrong. Change this back to check
+if we have enough room before the mac_header.
+
+This fixes a panic Saran Neti reported. He used the tbf scheduler which
+skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+because the skb was erroneously not expanded at the head.
+
+Reported-by: Saran Neti <Saran.Neti@telus.com>
+Cc: Pravin B Shelar <pshelar@nicira.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 5d1b8d7..657914b 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ 
+ 	/* Check if there is enough headroom to insert fragment header. */
+ 	tnl_hlen = skb_tnl_header_len(skb);
+-	if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
++	if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
+ 		if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+ 			goto out;
+ 	}
+-- 
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index da1310d..d09c246 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -789,6 +789,9 @@ Patch25143: drm-qxl-backport-fixes-for-Fedora.patch
 
 Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1526,6 +1529,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
 
 ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2338,6 +2344,9 @@ fi
 # and build.
 
 %changelog
+* Thu Nov 14 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
+
 * Wed Nov 13 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.8-200
 - Linux v3.11.8