Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 489300

Summary: fix dst cache leak
Product: Red Hat Enterprise Linux 4 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: davem, eteo, lwang, tgraf, vgoyal
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-18 19:33:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugene Teo (Security Response) 2009-03-09 12:09:27 UTC 
From Neil Horman:
"I... see one small error that could lead to a dst cache leak.  Its not a security bug, IMO, since it requires that there be enough ip header options in the input skb to overflow the output skb (which shouldn't be possible, but if for some reason it happens it can leak a dst refcnt.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=485163#c46 (private)
Comment 1 RHEL Program Management 2009-03-09 14:07:44 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Neil Horman 2009-03-09 14:37:49 UTC 
Thomas, Would you mind checking my thinking on this.  In handling a rhel5 dst leak, i was looking at the rhel4 icmp_send code and noted that you made a change, which I acked, in commit 31bfb0aaf4653624ea6f83b4b178db69796bbc8a.  the intent was to fix an extra dst_release that we shouldn't have done.  But looking at the code I think we had it right the first time.  We call ip_route_output_key prior to call ip_options_copy.  If the copy fails, we need to release that dst_entry
Comment 3 RHEL Program Management 2009-03-12 19:32:16 UTC 
Since RHEL 4.8 External Beta has begun, and this bugzilla remains 
unresolved, it has been rejected as it is not proposed as exception or 
blocker.
Comment 4 RHEL Program Management 2009-03-16 15:38:30 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vivek Goyal 2009-03-17 15:01:54 UTC 
Committed in 84.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 errata-xmlrpc 2009-05-18 19:33:15 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html