linux/net
David S. Miller 2570a4f542 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-13 17:27:37 -08:00
..
9p net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
802 sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
8021q netdevice: provide common routine for macvlan and vlan operstate management 2009-12-03 15:59:22 -08:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
atm atm: [br2684] allow routed mode operation again 2009-12-08 20:22:31 -08:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
bluetooth Bluetooth: Fix L2CAP locking scheme regression 2009-12-17 12:07:25 -08:00
bridge netfilter: ebtables: enforce CAP_NET_ADMIN 2010-01-08 17:31:24 +01:00
can net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
core tcp: update the netstamp_needed counter when cloning sockets 2010-01-08 00:00:09 -08:00
dcb net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
dccp tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
dsa netdev: convert pseudo-devices to netdev_tx_t 2009-09-01 01:13:07 -07:00
econet net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ethernet remove deprecated and not used: print_mac() 2009-11-15 22:21:34 -08:00
ieee802154 net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ipv4 ip: fix mc_loop checks for tunnels with multicast outer addresses 2010-01-06 20:37:01 -08:00
ipv6 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). 2010-01-13 17:27:37 -08:00
ipx Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
irda Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
iucv iucv: add work_queue cleanup for suspend 2009-11-13 20:46:58 -08:00
key xfrm: Fix truncation length of authentication algorithms installed via PF_KEY 2009-12-11 15:07:57 -08:00
lapb net: remove NET_RX_BAD and NET_RX_CN* defines 2009-07-05 19:15:35 -07:00
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-01-12 21:33:49 -08:00
netfilter netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() 2010-01-07 18:33:18 +01:00
netlabel Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
netlink net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
netrom Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
packet af_packet: Don't use skb after dev_queue_xmit() 2010-01-11 15:39:42 -08:00
phonet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
rfkill net/rfkill/core.c: work around gcc-4.0.2 silliness 2009-12-07 16:51:23 -05:00
rose rose_loopback_timer sets VC number <= ROSE_DEFAULT_MAXVC 2010-01-03 21:21:16 -08:00
rxrpc net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
sched Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
sctp net/sctp/socket.c: squish warning 2010-01-03 21:25:53 -08:00
sunrpc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
tipc net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
wanrouter headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
wimax Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
wireless cfg80211: fix refcount imbalance when wext is disabled 2010-01-11 19:37:09 -05:00
x25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
xfrm NET: XFRM: Fix spelling of neighbour. 2009-12-26 20:24:46 -08:00
compat.c net: use compat helper functions in compat_sys_recvmmsg 2009-12-11 15:07:57 -08:00
Kconfig net/compat/wext: send different messages to compat tasks 2009-07-15 08:53:39 -07:00
Makefile net: remove redundant sched/ in net/Makefile 2009-07-12 20:11:14 -07:00
nonet.c
socket.c net: compat_mmsghdr must be used in sys_recvmmsg 2009-12-02 01:23:23 -08:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE