Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo <[email protected]> Signed-off-by: David S. Miller <[email protected]>
- Loading branch information