git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	David S. Miller <davem@davemloft.net>
	Thu, 14 Jan 2010 01:27:37 +0000 (17:27 -0800)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Mon, 18 Jan 2010 18:19:52 +0000 (10:19 -0800)
commit	5deb72edb39542650c73e3fa7bf4a4a3ef14cc63
tree	e91129d6e4700403c8b9167a40a7419a6ff25b4b	tree \| snapshot
parent	54f1b39ce06aaf023db558ce4cc73f1d550d0d53	commit \| diff

ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().

commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream.

This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>