rpms/kernel/F-11 ipv4-fix-null-ptr-deref-in-ip_fragment.patch, NONE, 1.1 kernel.spec, 1.1780, 1.1781

Kyle McMartin kyle at fedoraproject.org
Fri Dec 4 04:29:53 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30376

Modified Files:
	kernel.spec 
Added Files:
	ipv4-fix-null-ptr-deref-in-ip_fragment.patch 
Log Message:
* Thu Dec 03 2009 Kyle McMartin <kyle at redhat.com> 2.6.30.9-102
- ipv4-fix-null-ptr-deref-in-ip_fragment.patch: null ptr deref
  bug fix.


ipv4-fix-null-ptr-deref-in-ip_fragment.patch:
 ip_fragment.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE ipv4-fix-null-ptr-deref-in-ip_fragment.patch ---
From: David Ford <david at blue-labs.org>
Date: Mon, 30 Nov 2009 07:02:22 +0000 (-0800)
Subject: ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr... 
X-Git-Tag: v2.6.32~40^2~6
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=bbf31bf18d34caa87dd01f08bf713635593697f2

ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS

ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
previously patched into 2.6.29.

Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
changing from dev_net(dev) to container_of(...).  Unfortunately the goto
section (out_fail) on oversized packets inside ip_frag_reasm() didn't
get touched up as well.  Oversized IP packets cause a NULL pointer
dereference and immediate hang.

I discovered this running openvasd and my previous email on this is
titled:  NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566

Signed-off-by: David Ford <david at blue-labs.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
---

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 575f9bd..d3fe10b 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -563,7 +563,7 @@ out_oversize:
 		printk(KERN_INFO "Oversized IP packet from %pI4.\n",
 			&qp->saddr);
 out_fail:
-	IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
+	IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
 	return err;
 }
 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1780
retrieving revision 1.1781
diff -u -p -r1.1780 -r1.1781
--- kernel.spec	19 Nov 2009 14:38:34 -0000	1.1780
+++ kernel.spec	4 Dec 2009 04:29:53 -0000	1.1781
@@ -841,6 +841,9 @@ Patch16470: sata_nv-use-hardreset-only-f
 # rhbz#538734 (CVE-tbd) [f60311d5f7670d9539b424e4ed8b5c0872fc9e83]
 Patch16471: fuse-prevent-fuse_put_request-in-invalid-ptr.patch
 
+# rhbz#544144 [bbf31bf18d34caa87dd01f08bf713635593697f2]
+Patch16472: ipv4-fix-null-ptr-deref-in-ip_fragment.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1580,6 +1583,9 @@ ApplyPatch sata_nv-make-sure-link-is-bro
 
 ApplyPatch fuse-prevent-fuse_put_request-in-invalid-ptr.patch
 
+# rhbz#544144
+ApplyPatch ipv4-fix-null-ptr-deref-in-ip_fragment.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2168,6 +2174,10 @@ fi
 # and build.
 
 %changelog
+* Thu Dec 03 2009 Kyle McMartin <kyle at redhat.com> 2.6.30.9-102
+- ipv4-fix-null-ptr-deref-in-ip_fragment.patch: null ptr deref
+  bug fix.
+
 * Thu Nov 19 2009 Kyle McMartin <kyle at redhat.com>
 - fuse-prevent-fuse_put_request-in-invalid-ptr.patch: fix oops in fuse
   when low on memory. rhbz#538734.

More information about the scm-commits mailing list