another .31 patch

author Greg Kroah-Hartman <gregkh@suse.de>

Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)

committer Greg Kroah-Hartman <gregkh@suse.de>

Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)
author Greg Kroah-Hartman <gregkh@suse.de>
Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)
committer Greg Kroah-Hartman <gregkh@suse.de>
Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)
diff --git a/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch b/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch

new file mode 100644 (file)

index 0000000..e736e89
--- /dev/null
+++ b/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
@@ -0,0 +1,40 @@
+From bbf31bf18d34caa87dd01f08bf713635593697f2 Mon Sep 17 00:00:00 2001
+From: David Ford <david@blue-labs.org>
+Date: Sun, 29 Nov 2009 23:02:22 -0800
+Subject: ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
+
+From: David Ford <david@blue-labs.org>
+
+commit bbf31bf18d34caa87dd01f08bf713635593697f2 upstream.
+
+ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
+previously patched into 2.6.29.
+
+Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
+changing from dev_net(dev) to container_of(...).  Unfortunately the goto
+section (out_fail) on oversized packets inside ip_frag_reasm() didn't
+get touched up as well.  Oversized IP packets cause a NULL pointer
+dereference and immediate hang.
+
+I discovered this running openvasd and my previous email on this is
+titled:  NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
+
+Signed-off-by: David Ford <david@blue-labs.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_fragment.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -563,7 +563,7 @@ out_oversize:
+               printk(KERN_INFO "Oversized IP packet from %pI4.\n",
+                       &qp->saddr);
+ out_fail:
+-      IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
++      IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+       return err;
+ }
+ 
diff --git a/queue-2.6.31/series b/queue-2.6.31/series

index 29a30f7d103a1599eb4c86fec6130d22dbf0f6ee..7a7120137156caa2d51f4dd1284de6c67a061945 100644 (file)
--- a/queue-2.6.31/series
+++ b/queue-2.6.31/series
@@ -81,3 +81,4 @@ sched-fix-boot-crash-by-zalloc-ing-most-of-the-cpu-masks.patch
  v4l-dvb-13202-smsusb-add-autodetection-support-for-three-additional-hauppauge-usb-ids.patch
  v4l-dvb-13313-saa7134-add-support-for-force_ts_valid-mode-for-mpeg-ts-input.patch
  v4l-dvb-13314-saa7134-set-ts_force_val-for-the-hauppauge-wintv-hvr-1150.patch
+ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
author	Greg Kroah-Hartman <gregkh@suse.de>
	Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Fri, 4 Dec 2009 05:25:29 +0000 (21:25 -0800)
queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch	[new file with mode: 0644]	patch \| blob
queue-2.6.31/series		patch \| blob \| blame \| history