linux/net/ipv6
David S. Miller 2570a4f542 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-13 17:27:37 -08:00
..
netfilter netfilter: fix crashes in bridge netfilter caused by fragment jumps 2009-12-15 16:59:59 +01:00
addrconf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
addrconf_core.c
addrlabel.c net: replace %p6 with %pI6 2008-10-29 12:52:50 -07:00
af_inet6.c net: check kern before calling security subsystem 2009-11-05 22:18:18 -08:00
ah6.c xfrm: Use the user specified truncation length in ESP and AH 2009-11-25 15:48:41 -08:00
anycast.c ipv6: use RCU to walk list of network devices 2009-11-13 20:38:49 -08:00
datagram.c ipv6: no more dev_put() in datagram_send_ctl() 2009-11-02 03:42:41 -08:00
esp6.c xfrm: Use the user specified truncation length in ESP and AH 2009-11-25 15:48:41 -08:00
exthdrs.c ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). 2010-01-13 17:27:37 -08:00
exthdrs_core.c
fib6_rules.c net: Allow fib_rule_unregister to batch 2009-12-03 12:22:55 -08:00
icmp.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
inet6_connection_sock.c net: IPv6 changes 2009-10-20 18:55:45 -07:00
inet6_hashtables.c tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
ip6_fib.c xfrm: select sane defaults for xfrm[4|6] gc_thresh 2009-07-30 18:52:15 -07:00
ip6_flowlabel.c net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ip6_input.c net: constify struct inet6_protocol 2009-09-14 17:03:05 -07:00
ip6_output.c ip: fix mc_loop checks for tunnels with multicast outer addresses 2010-01-06 20:37:01 -08:00
ip6_tunnel.c net: Simplify ip6_tunnel pernet operations. 2009-12-01 16:15:59 -08:00
ip6mr.c ip6mr: Optimize multiple unregistration 2009-10-29 01:13:53 -07:00
ipcomp6.c net: constify struct inet6_protocol 2009-09-14 17:03:05 -07:00
ipv6_sockglue.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-10-27 01:03:26 -07:00
Kconfig IPv6: Fix 6RD typo 2009-10-07 14:50:30 -07:00
Makefile
mcast.c ipv6: use RCU to walk list of network devices 2009-11-13 20:38:49 -08:00
mip6.c ipv6: Use correct data types for ICMPv6 type and code 2009-06-23 04:31:07 -07:00
ndisc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
netfilter.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
proc.c net: mark read-only arrays as const 2009-08-05 10:42:58 -07:00
protocol.c net: constify struct inet6_protocol 2009-09-14 17:03:05 -07:00
raw.c ipv6: avoid dev_hold()/dev_put() in rawv6_bind() 2009-11-08 00:43:18 -08:00
reassembly.c ipv6: fix an oops when force unload ipv6 module 2009-12-18 20:25:13 -08:00
route.c netns: fix net.ipv6.route.gc_min_interval_ms in netns 2009-12-18 20:11:03 -08:00
sit.c net: Simplify ipip6 aka sit pernet operations. 2009-12-01 16:15:59 -08:00
syncookies.c tcp: Revert per-route SACK/DSACK/TIMESTAMP changes. 2009-12-15 20:56:42 -08:00
sysctl_net_ipv6.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
tcp_ipv6.c tcp: Revert per-route SACK/DSACK/TIMESTAMP changes. 2009-12-15 20:56:42 -08:00
tunnel6.c net: constify struct inet6_protocol 2009-09-14 17:03:05 -07:00
udp.c IPv6: use ipv6_addr_v4mapped() 2009-11-10 20:54:44 -08:00
udp_impl.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udplite.c net: drop capability from protocol definitions 2009-11-05 21:40:17 -08:00
xfrm6_input.c netns xfrm: per-netns MIBs 2008-11-25 17:59:52 -08:00
xfrm6_mode_beet.c ipsec: Interfamily IPSec BEET, ipv4-inner ipv6-outer 2008-08-06 02:40:25 -07:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm6_output.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm6_policy.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
xfrm6_state.c ipv6: fix sparse warning: Using plain integer as NULL pointer 2009-02-21 23:37:10 -08:00
xfrm6_tunnel.c xfrm6_tunnel: RCU conversion 2009-10-24 06:07:57 -07:00