.31 patch

diff --git a/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch b/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
new file mode 100644 (file)
index 0000000..66cbeaa
--- /dev/null
+++ b/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
@@ -0,0 +1,65 @@
+From 2570a4f5428bcdb1077622342181755741e7fa60 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Wed, 13 Jan 2010 17:27:37 -0800
+Subject: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
+
+From: David S. Miller <davem@davemloft.net>
+
+commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream.
+
+This fixes CERT-FI FICORA #341748
+
+Discovered by Olli Jarva and Tuomo Untinen from the CROSS
+project at Codenomicon Ltd.
+
+Just like in CVE-2007-4567, we can't rely upon skb_dst() being
+non-NULL at this point.  We fixed that in commit
+e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
+skb->dst before it is assigned.")
+
+However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
+net argument to IP6_INC_STATS_BH") put a new version of the same bug
+into this function.
+
+Complicating analysis further, this bug can only trigger when network
+namespaces are enabled in the build.  When namespaces are turned off,
+the dev_net() does not evaluate it's argument, so the dereference
+would not occur.
+
+So, for a long time, namespaces couldn't be turned on unless SYSFS was
+disabled.  Therefore, this code has largely been disabled except by
+people turning it on explicitly for namespace development.
+
+With help from Eugene Teo <eugene@redhat.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/exthdrs.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb
+       return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev);
+ }
+ 
++static inline struct net *ipv6_skb_net(struct sk_buff *skb)
++{
++      return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev);
++}
++
+ /* Router Alert as of RFC 2711 */
+ 
+ static int ipv6_hop_ra(struct sk_buff *skb, int optoff)
+@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *s
+ static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff)
+ {
+       const unsigned char *nh = skb_network_header(skb);
++      struct net *net = ipv6_skb_net(skb);
+       u32 pkt_len;
+-      struct net *net = dev_net(skb_dst(skb)->dev);
+ 
+       if (nh[optoff + 1] != 4 || (optoff & 3) != 2) {
+               LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n",

diff --git a/queue-2.6.31/series b/queue-2.6.31/series
index ff245e9684f9d479e95effcb089b7b123fbbb8f9..9fbe1dcc52d9963f115b2e17b3e1cf40f2263d3f 100644 (file)
--- a/queue-2.6.31/series
+++ b/queue-2.6.31/series
@@ -6,3 +6,4 @@ netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch
 quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch
 fix-braindamage-in-audit_tree.c-untag_chunk.patch
 fix-more-leaks-in-audit_tree.c-tag_chunk.patch
+ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch