--- /dev/null
+From bbf31bf18d34caa87dd01f08bf713635593697f2 Mon Sep 17 00:00:00 2001
+From: David Ford <david@blue-labs.org>
+Date: Sun, 29 Nov 2009 23:02:22 -0800
+Subject: ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
+
+From: David Ford <david@blue-labs.org>
+
+commit bbf31bf18d34caa87dd01f08bf713635593697f2 upstream.
+
+ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
+previously patched into 2.6.29.
+
+Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
+changing from dev_net(dev) to container_of(...). Unfortunately the goto
+section (out_fail) on oversized packets inside ip_frag_reasm() didn't
+get touched up as well. Oversized IP packets cause a NULL pointer
+dereference and immediate hang.
+
+I discovered this running openvasd and my previous email on this is
+titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
+
+Signed-off-by: David Ford <david@blue-labs.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -563,7 +563,7 @@ out_oversize:
+ "Oversized IP packet from " NIPQUAD_FMT ".\n",
+ NIPQUAD(qp->saddr));
+ out_fail:
+- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
++ IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+ return err;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
