Message ID | 1300382485.1813.6.camel@emiko |
---|---|
State | New |
Headers | show |
On 03/17/2011 11:21 AM, Leann Ogasawara wrote: > The following changes since commit 78006f719c80cc01424fb9a9d3bbd06eeba4dd13: > Stefan Bader (1): > Linux 2.6.32.33+drm33.15 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4342 > > David S. Miller (1): > econet: Fix crash in aun_incoming(). CVE-2010-4342 > > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > From 4b4b8aef6afeedece57675ea94be2dda72a091a5 Mon Sep 17 00:00:00 2001 > From: David S. Miller<davem@davemloft.net> > Date: Wed, 8 Dec 2010 18:42:23 -0800 > Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342 > > CVE-2010-4342 > > BugLink: http://bugs.launchpad.net/bugs/736394 > > Unconditional use of skb->dev won't work here, > try to fetch the econet device via skb_dst()->dev > instead. > > Suggested by Eric Dumazet. > > Reported-by: Nelson Elhage<nelhage@ksplice.com> > Tested-by: Nelson Elhage<nelhage@ksplice.com> > Signed-off-by: David S. Miller<davem@davemloft.net> > (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c > index c9cf1ec..c5f152a 100644 > --- a/net/econet/af_econet.c > +++ b/net/econet/af_econet.c > @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len) > struct iphdr *ip = ip_hdr(skb); > unsigned char stn = ntohl(ip->saddr)& 0xff; > struct sock *sk; > + struct dst_entry *dst = skb_dst(skb); > + struct ec_device *edev = NULL; > struct sk_buff *newskb; > - struct ec_device *edev = skb->dev->ec_ptr; > + > + if (dst) > + edev = dst->dev->ec_ptr; > > if (! edev) > goto bad; Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 03/17/2011 10:21 AM, Leann Ogasawara wrote: > The following changes since commit 78006f719c80cc01424fb9a9d3bbd06eeba4dd13: > Stefan Bader (1): > Linux 2.6.32.33+drm33.15 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4342 > > David S. Miller (1): > econet: Fix crash in aun_incoming(). CVE-2010-4342 > > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > From 4b4b8aef6afeedece57675ea94be2dda72a091a5 Mon Sep 17 00:00:00 2001 > From: David S. Miller<davem@davemloft.net> > Date: Wed, 8 Dec 2010 18:42:23 -0800 > Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342 > > CVE-2010-4342 > > BugLink: http://bugs.launchpad.net/bugs/736394 > > Unconditional use of skb->dev won't work here, > try to fetch the econet device via skb_dst()->dev > instead. > > Suggested by Eric Dumazet. > > Reported-by: Nelson Elhage<nelhage@ksplice.com> > Tested-by: Nelson Elhage<nelhage@ksplice.com> > Signed-off-by: David S. Miller<davem@davemloft.net> > (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c > index c9cf1ec..c5f152a 100644 > --- a/net/econet/af_econet.c > +++ b/net/econet/af_econet.c > @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len) > struct iphdr *ip = ip_hdr(skb); > unsigned char stn = ntohl(ip->saddr)& 0xff; > struct sock *sk; > + struct dst_entry *dst = skb_dst(skb); > + struct ec_device *edev = NULL; > struct sk_buff *newskb; > - struct ec_device *edev = skb->dev->ec_ptr; > + > + if (dst) > + edev = dst->dev->ec_ptr; > > if (! edev) > goto bad; Acked-by: Brad Figg <brad.figg@canonical.com>
On 03/17/2011 11:21 AM, Leann Ogasawara wrote: > The following changes since commit 78006f719c80cc01424fb9a9d3bbd06eeba4dd13: > Stefan Bader (1): > Linux 2.6.32.33+drm33.15 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4342 > > David S. Miller (1): > econet: Fix crash in aun_incoming(). CVE-2010-4342 > > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > From 4b4b8aef6afeedece57675ea94be2dda72a091a5 Mon Sep 17 00:00:00 2001 > From: David S. Miller<davem@davemloft.net> > Date: Wed, 8 Dec 2010 18:42:23 -0800 > Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342 > > CVE-2010-4342 > > BugLink: http://bugs.launchpad.net/bugs/736394 > > Unconditional use of skb->dev won't work here, > try to fetch the econet device via skb_dst()->dev > instead. > > Suggested by Eric Dumazet. > > Reported-by: Nelson Elhage<nelhage@ksplice.com> > Tested-by: Nelson Elhage<nelhage@ksplice.com> > Signed-off-by: David S. Miller<davem@davemloft.net> > (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > net/econet/af_econet.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c > index c9cf1ec..c5f152a 100644 > --- a/net/econet/af_econet.c > +++ b/net/econet/af_econet.c > @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len) > struct iphdr *ip = ip_hdr(skb); > unsigned char stn = ntohl(ip->saddr)& 0xff; > struct sock *sk; > + struct dst_entry *dst = skb_dst(skb); > + struct ec_device *edev = NULL; > struct sk_buff *newskb; > - struct ec_device *edev = skb->dev->ec_ptr; > + > + if (dst) > + edev = dst->dev->ec_ptr; > > if (! edev) > goto bad; applied
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index c9cf1ec..c5f152a 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len) struct iphdr *ip = ip_hdr(skb); unsigned char stn = ntohl(ip->saddr) & 0xff; struct sock *sk; + struct dst_entry *dst = skb_dst(skb); + struct ec_device *edev = NULL; struct sk_buff *newskb; - struct ec_device *edev = skb->dev->ec_ptr; + + if (dst) + edev = dst->dev->ec_ptr; if (! edev) goto bad;