From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Wed, 19 Apr 2006 04:26:37 +0000 (-0700)
Subject: 2.6.16.8 release
X-Git-Tag: v2.6.16.8^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3de0e6ce5b27d0062754637c548d1807181853e;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.16.8 release
---

diff --git a/2.6.16.8/IPV4-ip_route_input-panic-fix.patch b/2.6.16.8/IPV4-ip_route_input-panic-fix.patch
new file mode 100644
index 00000000000..2393b85294e
--- /dev/null
+++ b/2.6.16.8/IPV4-ip_route_input-panic-fix.patch
@@ -0,0 +1,33 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@osdl.org>
+Date: Mon Apr 17 17:27:11 2006 -0700
+Subject: [PATCH] [IPV4]: ip_route_input panic fix (CVE-2006-1525)
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
+The bug is caused by ip_route_input dereferencing skb->nh.protocol of
+the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
+it). It only happens if the route requested is for a multicast IP
+address.
+
+Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/route.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- linux-2.6.16.7.orig/net/ipv4/route.c
++++ linux-2.6.16.7/net/ipv4/route.c
+@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in
+ 	/* Reserve room for dummy headers, this skb can pass
+ 	   through good chunk of routing engine.
+ 	 */
+-	skb->mac.raw = skb->data;
++	skb->mac.raw = skb->nh.raw = skb->data;
++
++	/* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
++	skb->nh.iph->protocol = IPPROTO_ICMP;
+ 	skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+ 
+ 	if (rta[RTA_SRC - 1])