http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread "The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg->skb_free_datagram_locked->release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory. The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly." Upstream commits: http://git.kernel.org/linus/2499849ee8f513e795b9f2c19a42d6356e4943a4 http://git.kernel.org/linus/53eecb1be5ae499d399d2923933937a9ea1a284f http://git.kernel.org/linus/50b1a782f845140f4138f14a1ce8a4a6dd0cc82f http://git.kernel.org/linus/79545b681961d7001c1f4c3eb9ffb87bed4485db http://git.kernel.org/linus/55349790d7cbf0d381873a7ece1dcafcffd4aaa9 http://git.kernel.org/linus/6b03a53a5ab7ccf2d5d69f96cf1c739c4d2a8fb9 http://git.kernel.org/linus/8eae939f1400326b06d0c9afe53d2a484a326871 http://git.kernel.org/linus/a3a858ff18a72a8d388e31ab0d98f7e944841a62 http://git.kernel.org/linus/c377411f2494a931ff7facdbb3a6839b1266bcf6
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG as they have already backported the fixes for this issue. Future kernel updates in Red Hat Enterprise Linux 6 may address this flaw. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0303 https://rhn.redhat.com/errata/RHSA-2011-0303.html
We need c07224005dd3fe746246acadc9be652a588a4d7f for a typo correction too.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
A CVE was assigned to this for commit c377411f which we have already backported as part of a collection of fixes for CVE-2010-4251. ====================================================== Name: CVE-2010-4805 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4805 Assigned: 20110526 Reference: MLIST:[netdev] 20100302 [PATCH 1/8] net: add limit for socket backlog Reference: URL:http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c377411f2494a931ff7facdbb3a6839b1266bcf6 Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=657303 Reference: BID:46637 Reference: URL:http://www.securityfocus.com/bid/46637 The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.
This issue has been addressed in following products: Red Hat Enterprise Linux 6.0.Z - Server Only Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html