aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <shemminger@osdl.org>2006-04-17 17:27:11 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2006-04-18 14:31:47 -0700
commita0b277b4fdcbc24c26af7c5d019e9448a51c79cf (patch)
treee754ef3a9b35551fa83e2361120b88a551528ffc
parent54e5705fd460c7621a4d73c71197e2650ba034a2 (diff)
[PATCH] ip_route_input panic fix (CVE-2006-1525)
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388 The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/ipv4/route.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index fca5fe0cf94..a67955e2637 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg)
/* Reserve room for dummy headers, this skb can pass
through good chunk of routing engine.
*/
- skb->mac.raw = skb->data;
+ skb->mac.raw = skb->nh.raw = skb->data;
+
+ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
+ skb->nh.iph->protocol = IPPROTO_ICMP;
skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
if (rta[RTA_SRC - 1])