averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-04-29 12:28:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ed215259f2d8cd937abc833dc76e309173aaa52
linux-stable-mirror/net/ipv6
T
History
David S. Miller 2570a4f542 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). 
This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-13 17:27:37 -08:00
..
netfilter
netfilter: fix crashes in bridge netfilter caused by fragment jumps
2009-12-15 16:59:59 +01:00
addrconf_core.c
addrconf.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2009-12-08 07:55:01 -08:00
addrlabel.c
af_inet6.c
net: check kern before calling security subsystem
2009-11-05 22:18:18 -08:00
ah6.c
xfrm: Use the user specified truncation length in ESP and AH
2009-11-25 15:48:41 -08:00
anycast.c
ipv6: use RCU to walk list of network devices
2009-11-13 20:38:49 -08:00
datagram.c
ipv6: no more dev_put() in datagram_send_ctl()
2009-11-02 03:42:41 -08:00
esp6.c
xfrm: Use the user specified truncation length in ESP and AH
2009-11-25 15:48:41 -08:00
exthdrs_core.c
exthdrs.c
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
2010-01-13 17:27:37 -08:00
fib6_rules.c
net: Allow fib_rule_unregister to batch
2009-12-03 12:22:55 -08:00
icmp.c
sysctl net: Remove unused binary sysctl code
2009-11-12 02:05:06 -08:00
inet6_connection_sock.c
net: IPv6 changes
2009-10-20 18:55:45 -07:00
inet6_hashtables.c
tcp: Fix a connect() race with timewait sockets
2009-12-08 20:17:51 -08:00
ip6_fib.c
ip6_flowlabel.c
net: use net_eq to compare nets
2009-11-25 15:14:13 -08:00
ip6_input.c
ip6_output.c
ip: fix mc_loop checks for tunnels with multicast outer addresses
2010-01-06 20:37:01 -08:00
ip6_tunnel.c
net: Simplify ip6_tunnel pernet operations.
2009-12-01 16:15:59 -08:00
ip6mr.c
ip6mr: Optimize multiple unregistration
2009-10-29 01:13:53 -07:00
ipcomp6.c
ipv6_sockglue.c
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2009-10-27 01:03:26 -07:00
Kconfig
IPv6: Fix 6RD typo
2009-10-07 14:50:30 -07:00
Makefile
mcast.c
ipv6: use RCU to walk list of network devices
2009-11-13 20:38:49 -08:00
mip6.c
ndisc.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2009-12-08 07:55:01 -08:00
netfilter.c
proc.c
protocol.c
raw.c
ipv6: avoid dev_hold()/dev_put() in rawv6_bind()
2009-11-08 00:43:18 -08:00
reassembly.c
ipv6: fix an oops when force unload ipv6 module
2009-12-18 20:25:13 -08:00
route.c
netns: fix net.ipv6.route.gc_min_interval_ms in netns
2009-12-18 20:11:03 -08:00
sit.c
net: Simplify ipip6 aka sit pernet operations.
2009-12-01 16:15:59 -08:00
syncookies.c
tcp: Revert per-route SACK/DSACK/TIMESTAMP changes.
2009-12-15 20:56:42 -08:00
sysctl_net_ipv6.c
sysctl net: Remove unused binary sysctl code
2009-11-12 02:05:06 -08:00
tcp_ipv6.c
tcp: Revert per-route SACK/DSACK/TIMESTAMP changes.
2009-12-15 20:56:42 -08:00
tunnel6.c
udp_impl.h
net: Make setsockopt() optlen be unsigned.
2009-09-30 16:12:20 -07:00
udp.c
IPv6: use ipv6_addr_v4mapped()
2009-11-10 20:54:44 -08:00
udplite.c
net: drop capability from protocol definitions
2009-11-05 21:40:17 -08:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
sysctl net: Remove unused binary sysctl code
2009-11-12 02:05:06 -08:00
xfrm6_state.c
xfrm6_tunnel.c
xfrm6_tunnel: RCU conversion
2009-10-24 06:07:57 -07:00