Add follow-up fixes for CVE-2017-9074

debian/changelog

@@ -1,6 +1,8 @@
 linux (4.9.30-1+deb9u1) UNRELEASED; urgency=medium
 
   * ipv6: Check ip6_find_1stfragopt() return value properly.
+  * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+  * ipv6: Fix leak in ipv6_gso_segment().
 
  -- Ben Hutchings <ben@decadent.org.uk>  Wed, 07 Jun 2017 23:31:14 +0100
 

debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch

@@ -0,0 +1,32 @@
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sun, 4 Jun 2017 21:41:10 -0400
+Subject: ipv6: Fix leak in ipv6_gso_segment().
+Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+If ip6_find_1stfragopt() fails and we return an error we have to free
+up 'segs' because nobody else is going to.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/ip6_offload.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index 280268f1dd7b..cdb3728faca7 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ 
+ 		if (udpfrag) {
+ 			int err = ip6_find_1stfragopt(skb, &prevhdr);
+-			if (err < 0)
++			if (err < 0) {
++				kfree_skb_list(segs);
+ 				return ERR_PTR(err);
++			}
+ 			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+ 			fptr->frag_off = htons(offset);
+ 			if (skb->next)

debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch

@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 31 May 2017 13:15:41 +0100
+Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+xfrm6_find_1stfragopt() may now return an error code and we must
+not treat it as a length.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Acked-by: Craig Gallek <kraig@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/xfrm6_mode_ro.c        | 2 ++
+ net/ipv6/xfrm6_mode_transport.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv6/xfrm6_mode_ro.c
++++ b/net/ipv6/xfrm6_mode_ro.c
+@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;

debian/patches/series

@@ -114,6 +114,8 @@ bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
 bugfix/all/nfsv4-fix-callback-server-shutdown.patch
 bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
 bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
 bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
 bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
 bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch