From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 4 Dec 2009 05:25:29 +0000 (-0800)
Subject: another .31 patch
X-Git-Tag: v2.6.31.7~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a089ab39f083c5af7f57ec7af7ef1a7b02de4da;p=thirdparty%2Fkernel%2Fstable-queue.git

another .31 patch
---

diff --git a/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch b/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
new file mode 100644
index 00000000000..e736e89a39b
--- /dev/null
+++ b/queue-2.6.31/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
@@ -0,0 +1,40 @@
+From bbf31bf18d34caa87dd01f08bf713635593697f2 Mon Sep 17 00:00:00 2001
+From: David Ford <david@blue-labs.org>
+Date: Sun, 29 Nov 2009 23:02:22 -0800
+Subject: ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
+
+From: David Ford <david@blue-labs.org>
+
+commit bbf31bf18d34caa87dd01f08bf713635593697f2 upstream.
+
+ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
+previously patched into 2.6.29.
+
+Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
+changing from dev_net(dev) to container_of(...).  Unfortunately the goto
+section (out_fail) on oversized packets inside ip_frag_reasm() didn't
+get touched up as well.  Oversized IP packets cause a NULL pointer
+dereference and immediate hang.
+
+I discovered this running openvasd and my previous email on this is
+titled:  NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
+
+Signed-off-by: David Ford <david@blue-labs.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_fragment.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -563,7 +563,7 @@ out_oversize:
+ 		printk(KERN_INFO "Oversized IP packet from %pI4.\n",
+ 			&qp->saddr);
+ out_fail:
+-	IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
++	IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+ 	return err;
+ }
+ 
diff --git a/queue-2.6.31/series b/queue-2.6.31/series
index 29a30f7d103..7a712013715 100644
--- a/queue-2.6.31/series
+++ b/queue-2.6.31/series
@@ -81,3 +81,4 @@ sched-fix-boot-crash-by-zalloc-ing-most-of-the-cpu-masks.patch
 v4l-dvb-13202-smsusb-add-autodetection-support-for-three-additional-hauppauge-usb-ids.patch
 v4l-dvb-13313-saa7134-add-support-for-force_ts_valid-mode-for-mpeg-ts-input.patch
 v4l-dvb-13314-saa7134-set-ts_force_val-for-the-hauppauge-wintv-hvr-1150.patch
+ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch