forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net
History
David S. Miller 5deb72edb3 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). 
commit 2570a4f542 upstream.

This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18 10:19:52 -08:00
..
9p 9p: fix readdir corner cases 2009-11-02 08:43:45 -06:00
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q vlan: Fix register_vlan_dev() error path 2009-11-17 06:45:04 -08:00
appletalk Have atalk_route_packet() return NET_RX_SUCCESS not NET_XMIT_SUCCESS 2009-09-14 17:02:47 -07:00
atm net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
ax25 ax25: Fix possible oops in ax25_make_new 2009-09-30 16:44:12 -07:00
bluetooth Bluetooth: Fix regression with L2CAP configuration in Basic Mode 2009-11-16 01:31:41 +01:00
bridge netfilter: ebtables: enforce CAP_NET_ADMIN 2010-01-18 10:19:40 -08:00
can can: should not use __dev_get_by_index() without locks 2009-11-08 00:33:43 -08:00
core net: Fix userspace RTM_NEWLINK notifications. 2009-12-18 14:05:38 -08:00
dcb net: fix double skb free in dcbnl 2009-09-26 20:16:15 -07:00
dccp net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
decnet decnet: netdevice refcount leak 2009-11-06 00:50:39 -08:00
dsa netdev: convert pseudo-devices to netdev_tx_t 2009-09-01 01:13:07 -07:00
econet Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-12 17:44:53 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
ipv4 netfilter: fix crashes in bridge netfilter caused by fragment jumps 2010-01-06 15:04:40 -08:00
ipv6 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). 2010-01-18 10:19:52 -08:00
ipx net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
irda headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
iucv net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
key net: file_operations should be const 2009-09-02 01:03:53 -07:00
lapb net: remove NET_RX_BAD and NET_RX_CN* defines 2009-07-05 19:15:35 -07:00
llc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
mac80211 mac80211: fix skb buffering issue (and fixes to that) 2010-01-18 10:19:49 -08:00
netfilter netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() 2010-01-18 10:19:41 -08:00
netlabel Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-07-30 19:22:43 -07:00
netlink net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
netrom net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-10-29 09:22:08 -07:00
phonet Phonet: fix mutex imbalance 2009-09-30 16:41:34 -07:00
rds net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
rfkill Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-11-23 14:01:47 -08:00
rose rose: device refcount leak 2009-11-05 20:56:07 -08:00
rxrpc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
sched pkt_sched: pedit use proper struct 2009-10-11 23:03:47 -07:00
sctp sctp: on T3_RTX retransmit all the in-flight chunks 2009-11-29 00:14:02 -08:00
sunrpc sunrpc: on successful gss error pipe write, don't return error 2010-01-18 10:19:21 -08:00
tipc net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
unix AF_UNIX: Fix deadlock on connecting to shutdown socket 2009-10-18 23:17:37 -07:00
wanrouter headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
wimax wimax: fix warning caused by not checking retval of rfkill_set_hw_state() 2009-06-11 11:12:48 -07:00
wireless cfg80211: fix syntax error on user regulatory hints 2010-01-18 10:19:45 -08:00
x25 net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
xfrm net: file_operations should be const 2009-09-02 01:03:53 -07:00
compat.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
Kconfig net/compat/wext: send different messages to compat tasks 2009-07-15 08:53:39 -07:00
Makefile net: remove redundant sched/ in net/Makefile 2009-07-12 20:11:14 -07:00
nonet.c
socket.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE