diff options
author | Stephen Hemminger <shemminger@osdl.org> | 2006-04-17 17:27:11 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-04-18 14:31:47 -0700 |
commit | a0b277b4fdcbc24c26af7c5d019e9448a51c79cf (patch) | |
tree | e754ef3a9b35551fa83e2361120b88a551528ffc | |
parent | 54e5705fd460c7621a4d73c71197e2650ba034a2 (diff) |
[PATCH] ip_route_input panic fix (CVE-2006-1525)
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of
the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
it). It only happens if the route requested is for a multicast IP
address.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | net/ipv4/route.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index fca5fe0cf94..a67955e2637 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) /* Reserve room for dummy headers, this skb can pass through good chunk of routing engine. */ - skb->mac.raw = skb->data; + skb->mac.raw = skb->nh.raw = skb->data; + + /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ + skb->nh.iph->protocol = IPPROTO_ICMP; skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); if (rta[RTA_SRC - 1]) |