1 files changed, 28 insertions, 0 deletions

diff --git a/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-6333.patch b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-6333.patch
new file mode 100644
index 0000000..66445ef
--- /dev/null
+++ b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-6333.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro@hera.kernel.org>
+Date: Mon, 4 Dec 2006 22:05:09 +0000 (+0000)
+Subject: [PATCH] remote memory corruptor in ibmtr.c
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ee28b0da1069ced1688aa9d0b7b378353b988321
+
+[PATCH] remote memory corruptor in ibmtr.c
+
+ip_summed changes last summer had missed that one.  As the result,
+we have ip_summed interpreted as CHECKSUM_PARTIAL now.  IOW,
+->csum is interpreted as offset of checksum in the packet.  net/core/*
+will both read and modify the value as that offset, with obvious
+reasons.  At the very least it's a remote memory corruptor.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+
+--- a/drivers/net/tokenring/ibmtr.c
++++ b/drivers/net/tokenring/ibmtr.c
+@@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev
+ 	skb->protocol = tr_type_trans(skb, dev);
+ 	if (IPv4_p) {
+ 		skb->csum = chksum;
+-		skb->ip_summed = 1;
++		skb->ip_summed = CHECKSUM_COMPLETE;
+ 	}
+ 	netif_rx(skb);
+ 	dev->last_rx = jiffies;