From: Chris Wright <chrisw@sous-sol.org>
Date: Fri, 9 Mar 2007 17:33:10 +0000 (-0800)
Subject: Fix for bz 8134
X-Git-Tag: v2.6.20.2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ac9b5eaa2e8fd68d7d0bcf96270d53c74b4f342;p=thirdparty%2Fkernel%2Fstable-queue.git

Fix for bz 8134
---

diff --git a/review-2.6.20/ipv6-handle-np-opt-being-null-in-ipv6_getsockopt_sticky.patch b/review-2.6.20/ipv6-handle-np-opt-being-null-in-ipv6_getsockopt_sticky.patch
new file mode 100644
index 00000000000..20098b0a945
--- /dev/null
+++ b/review-2.6.20/ipv6-handle-np-opt-being-null-in-ipv6_getsockopt_sticky.patch
@@ -0,0 +1,42 @@
+From 286930797d74b2c9a5beae84836044f6a836235f Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@sunset.davemloft.net>
+Date: Wed, 7 Mar 2007 12:50:46 -0800
+Subject: IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ipv6/ipv6_sockglue.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/net/ipv6/ipv6_sockglue.c
++++ linux-2.6.20.1/net/ipv6/ipv6_sockglue.c
+@@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *
+ EXPORT_SYMBOL(compat_ipv6_setsockopt);
+ #endif
+ 
+-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+ 				  char __user *optval, int len)
+ {
+-	if (!hdr)
++	struct ipv6_opt_hdr *hdr;
++
++	if (!opt || !opt->hopopt)
+ 		return 0;
++	hdr = opt->hopopt;
++
+ 	len = min_t(int, len, ipv6_optlen(hdr));
+ 	if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+ 		return -EFAULT;
+@@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct soc
+ 	{
+ 
+ 		lock_sock(sk);
+-		len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
++		len = ipv6_getsockopt_sticky(sk, np->opt,
+ 					     optval, len);
+ 		release_sock(sk);
+ 		return put_user(len, optlen);
diff --git a/review-2.6.20/series b/review-2.6.20/series
index bacf85c4e85..eff39e7e49d 100644
--- a/review-2.6.20/series
+++ b/review-2.6.20/series
@@ -102,3 +102,4 @@ gfs2-fix-locking-mistake.patch
 tcp-fix-minisock-tcp_create_openreq_child-typo.patch
 fix-buffer-overflow-in-omnikey-cardman-4040-driver.patch
 x86-64-survive-having-no-irq-mapping-for-a-vector.patch
+ipv6-handle-np-opt-being-null-in-ipv6_getsockopt_sticky.patch