Add a patch for CVE-2014-3000. #509170

(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key F8551514)

3 files changed, 43 insertions, 3 deletions

diff --git a/sys-freebsd/freebsd-sources/ChangeLog b/sys-freebsd/freebsd-sources/ChangeLog
index 7ea36a51a53b..368feb53990b 100644
--- a/sys-freebsd/freebsd-sources/ChangeLog
+++ b/sys-freebsd/freebsd-sources/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-freebsd/freebsd-sources
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sources/ChangeLog,v 1.103 2014/04/12 07:01:49 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sources/ChangeLog,v 1.104 2014/05/08 05:24:56 naota Exp $
+
+*freebsd-sources-9.1-r7 (08 May 2014)
+
+  08 May 2014; Naohiro Aota <naota@gentoo.org>
+  +files/freebsd-sources-9.1-tcp.patch, +freebsd-sources-9.1-r7.ebuild,
+  -freebsd-sources-9.1-r6.ebuild:
+  Add a patch for CVE-2014-3000. #509170
 
 *freebsd-sources-9.1-r6 (12 Apr 2014)
 
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-tcp.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-tcp.patch
new file mode 100644
index 000000000000..2f82a5f98a58
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-tcp.patch
@@ -0,0 +1,32 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c	(revision 264836)
++++ sys/netinet/tcp_reass.c	(working copy)
+@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 * Investigate why and re-evaluate the below limit after the behaviour
+ 	 * is understood.
+ 	 */
+-	if (th->th_seq != tp->rcv_nxt &&
++	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ 		V_tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 */
+ 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+-		if (th->th_seq != tp->rcv_nxt) {
++		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+ 			m_freem(m);
+ 			*tlenp = 0;
+@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 				TCPSTAT_INC(tcps_rcvduppack);
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+-				uma_zfree(V_tcp_reass_zone, te);
++				if (te != &tqs)
++					uma_zfree(V_tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data
diff --git a/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r6.ebuild b/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r7.ebuild
index 229ca340f452..7806f0c93fa5 100644
--- a/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r6.ebuild
+++ b/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r7.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r6.ebuild,v 1.1 2014/04/12 07:01:49 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sources/freebsd-sources-9.1-r7.ebuild,v 1.1 2014/05/08 05:24:55 naota Exp $
 
 inherit bsdmk freebsd flag-o-matic
 
@@ -39,7 +39,8 @@ PATCHES=( "${FILESDIR}/${PN}-9.0-disable-optimization.patch"
 	"${FILESDIR}/${PN}-9.1-cve-2013-5710.patch"
 	"${FILESDIR}/${PN}-9.1-cve-2014-1453.patch"
 	"${FILESDIR}/${PN}-9.1-random.patch"
-	"${FILESDIR}/${PN}-9.1-mmap-2014.patch" )
+	"${FILESDIR}/${PN}-9.1-mmap-2014.patch"
+	"${FILESDIR}/${PN}-9.1-tcp.patch" )
 
 src_unpack() {
 	freebsd_src_unpack