--- /dev/null
+From security-bounces@linux.kernel.org Wed Aug 31 02:55:24 2005
+Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
+From: Mark J Cox <mjc@redhat.com>
+Cc: aviro@redhat.com, davem@redhat.com
+Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)
+
+From: Al Viro <aviro@redhat.com>
+
+Fix unchecked __get_user that could be tricked into generating a
+memory read on an arbitrary address. The result of the read is not
+returned directly but you may be able to divine some information about
+it, or use the read to cause a crash on some architectures by reading
+hardware state. CAN-2004-2492.
+
+Fix from Al Viro, ack from Dave Miller.
+
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ net/ipv4/raw.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/net/ipv4/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/raw.c
++++ linux-2.6.13.y/net/ipv4/raw.c
+@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
+Index: linux-2.6.13.y/net/ipv6/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv6/raw.c
++++ linux-2.6.13.y/net/ipv6/raw.c
+@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
