From ca0be980f46b429061783a2d6dcebb81afc4ac6e Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Thu, 7 Dec 2017 19:04:25 -0600
Subject: [PATCH] Import upstream patch for OPENAFS-SA-2017-001/CVE-2017-17432k

Change-Id: Ibf27c46d15790066fb6674f97f09316772f4f4b0
---
 debian/changelog                              |  6 ++
 ...001-rx-Sanity-check-received-MTU-and.patch | 76 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 83 insertions(+)
 create mode 100644 debian/patches/0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch

diff --git a/debian/changelog b/debian/changelog
index 68f73468f..dd639b07d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openafs (1.6.9-2+deb8u6) UNRELEASED; urgency=high
+
+  * CVE-2017-17432: remote triggered Rx assertion failure
+
+ -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 07 Dec 2017 19:04:52 -0600
+
 openafs (1.6.9-2+deb8u5) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch b/debian/patches/0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch
new file mode 100644
index 000000000..4fe2c1d8a
--- /dev/null
+++ b/debian/patches/0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch
@@ -0,0 +1,76 @@
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Mon, 4 Dec 2017 17:20:57 -0600
+Subject: OPENAFS-SA-2017-001: rx: Sanity-check received MTU and twind values
+
+Rather than blindly trusting the values received in the
+(unauthenticated) ack packet trailer, apply some minmial sanity checks
+to received values.  natMTU and regular MTU values are subject to
+Rx minmium/maximum packet sizes, and the transmit window cannot drop
+below one without risk of deadlock.
+
+The maxDgramPackets value that can also be present in the trailer
+already has sufficient sanity checking.
+
+Extremely low MTU values (less than 28 == RX_HEADER_SIZE) can cause us
+to set a negative "maximum usable data" size that gets used as an
+(unsigned) packet length for subsequent allocation and computation,
+triggering an assertion when the connection is used to transmit data.
+
+FIXES 134450
+
+(cherry picked from commit 894555f93a2571146cb9ca07140eb98c7a424b01)
+(cherry picked from commit eae2575dc738bd69bb6a0a84f87f02f5cf2b4eb9)
+
+Change-Id: Ic83c2eef69a9f59a0f0b1469681aaef9f42b0a18
+(cherry picked from commit a2266518d610ccabb7b389b273196695ba0c4f33)
+---
+ src/rx/rx.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/rx/rx.c b/src/rx/rx.c
+index 1fc7a20..a50fd25 100644
+--- a/src/rx/rx.c
++++ b/src/rx/rx.c
+@@ -4557,12 +4557,20 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
+ 	rx_packetread(np, rx_AckDataSize(ap->nAcks) + (int)sizeof(afs_int32),
+ 		      (int)sizeof(afs_int32), &tSize);
+ 	tSize = (afs_uint32) ntohl(tSize);
++	if (tSize > RX_MAX_PACKET_SIZE)
++	    tSize = RX_MAX_PACKET_SIZE;
++	if (tSize < RX_MIN_PACKET_SIZE)
++	    tSize = RX_MIN_PACKET_SIZE;
+ 	peer->natMTU = rxi_AdjustIfMTU(MIN(tSize, peer->ifMTU));
+ 
+ 	/* Get the maximum packet size to send to this peer */
+ 	rx_packetread(np, rx_AckDataSize(ap->nAcks), (int)sizeof(afs_int32),
+ 		      &tSize);
+ 	tSize = (afs_uint32) ntohl(tSize);
++	if (tSize > RX_MAX_PACKET_SIZE)
++	    tSize = RX_MAX_PACKET_SIZE;
++	if (tSize < RX_MIN_PACKET_SIZE)
++	    tSize = RX_MIN_PACKET_SIZE;
+ 	tSize = (afs_uint32) MIN(tSize, rx_MyMaxSendSize);
+ 	tSize = rxi_AdjustMaxMTU(peer->natMTU, tSize);
+ 
+@@ -4584,6 +4592,10 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
+ 			  rx_AckDataSize(ap->nAcks) + 2 * (int)sizeof(afs_int32),
+ 			  (int)sizeof(afs_int32), &tSize);
+ 	    tSize = (afs_uint32) ntohl(tSize);	/* peer's receive window, if it's */
++	    if (tSize == 0)
++		tSize = 1;
++	    if (tSize >= rx_maxSendWindow)
++		tSize = rx_maxSendWindow;
+ 	    if (tSize < call->twind) {	/* smaller than our send */
+ 		call->twind = tSize;	/* window, we must send less... */
+ 		call->ssthresh = MIN(call->twind, call->ssthresh);
+@@ -4605,6 +4617,10 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
+ 			  rx_AckDataSize(ap->nAcks) + 2 * (int)sizeof(afs_int32),
+ 			  sizeof(afs_int32), &tSize);
+ 	    tSize = (afs_uint32) ntohl(tSize);
++	    if (tSize == 0)
++		tSize = 1;
++	    if (tSize >= rx_maxSendWindow)
++		tSize = rx_maxSendWindow;
+ 	    /*
+ 	     * As of AFS 3.5 we set the send window to match the receive window.
+ 	     */
diff --git a/debian/patches/series b/debian/patches/series
index c602dd3ee..d68af127e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@
 0012-rx-CVE-2015-7762-and-CVE-2015-7763.patch
 0013-afs-pioctl-kernel-memory-overrun.patch
 0014-OPENAFS-SA-2016-001-group-creation-by-foreign-users.patch
+0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch
-- 
2.39.5