From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 4 Dec 2009 05:26:46 +0000 (-0800)
Subject: .27 patch
X-Git-Tag: v2.6.31.7~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b58f5797afdb36ec1ec287c9aa60fc46d9131127;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patch
---

diff --git a/queue-2.6.27/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch b/queue-2.6.27/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
new file mode 100644
index 00000000000..18691c35338
--- /dev/null
+++ b/queue-2.6.27/ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch
@@ -0,0 +1,40 @@
+From bbf31bf18d34caa87dd01f08bf713635593697f2 Mon Sep 17 00:00:00 2001
+From: David Ford <david@blue-labs.org>
+Date: Sun, 29 Nov 2009 23:02:22 -0800
+Subject: ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
+
+From: David Ford <david@blue-labs.org>
+
+commit bbf31bf18d34caa87dd01f08bf713635593697f2 upstream.
+
+ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
+previously patched into 2.6.29.
+
+Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
+changing from dev_net(dev) to container_of(...).  Unfortunately the goto
+section (out_fail) on oversized packets inside ip_frag_reasm() didn't
+get touched up as well.  Oversized IP packets cause a NULL pointer
+dereference and immediate hang.
+
+I discovered this running openvasd and my previous email on this is
+titled:  NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
+
+Signed-off-by: David Ford <david@blue-labs.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_fragment.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -563,7 +563,7 @@ out_oversize:
+ 			"Oversized IP packet from " NIPQUAD_FMT ".\n",
+ 			NIPQUAD(qp->saddr));
+ out_fail:
+-	IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
++	IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+ 	return err;
+ }
+ 
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 2bd673df5c8..eec9cef1b3f 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -8,3 +8,4 @@ v4l-dvb-13107-tda18271-fix-overflow-in-fm-radio-frequency-calculation.patch
 v4l-dvb-13109-tda18271-fix-signedness-issue-in-tda18271_rf_tracking_filters_init.patch
 v4l-dvb-13190-em28xx-fix-panic-that-can-occur-when-starting-audio-streaming.patch
 v4l-dvb-13230-s2255drv-don-t-conditionalize-video-buffer-completion-on-waiting-processes.patch
+ipv4-additional-update-of-dev_net-dev-to-struct-net-in-ip_fragment.c-null-ptr-oops.patch