| From nobody Mon Sep 17 00:00:00 2001 |
| From: Stephen Hemminger <shemminger@osdl.org> |
| Date: Mon Apr 17 17:27:11 2006 -0700 |
| Subject: [PATCH] [IPV4]: ip_route_input panic fix (CVE-2006-1525) |
| |
| This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388 |
| The bug is caused by ip_route_input dereferencing skb->nh.protocol of |
| the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing |
| it). It only happens if the route requested is for a multicast IP |
| address. |
| |
| Signed-off-by: Stephen Hemminger <shemminger@osdl.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/ipv4/route.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- linux-2.6.16.7.orig/net/ipv4/route.c |
| +++ linux-2.6.16.7/net/ipv4/route.c |
| @@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in |
| /* Reserve room for dummy headers, this skb can pass |
| through good chunk of routing engine. |
| */ |
| - skb->mac.raw = skb->data; |
| + skb->mac.raw = skb->nh.raw = skb->data; |
| + |
| + /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ |
| + skb->nh.iph->protocol = IPPROTO_ICMP; |
| skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); |
| |
| if (rta[RTA_SRC - 1]) |