• David S. Miller's avatar
    ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). · 2570a4f5
    David S. Miller authored
    This fixes CERT-FI FICORA #341748
    
    Discovered by Olli Jarva and Tuomo Untinen from the CROSS
    project at Codenomicon Ltd.
    
    Just like in CVE-2007-4567, we can't rely upon skb_dst() being
    non-NULL at this point.  We fixed that in commit
    e76b2b25 ("[IPV6]: Do no rely on
    skb->dst before it is assigned.")
    
    However commit 483a47d2 ("ipv6: added
    net argument to IP6_INC_STATS_BH") put a new version of the same bug
    into this function.
    
    Complicating analysis further, this bug can only trigger when network
    namespaces are enabled in the build.  When namespaces are turned off,
    the dev_net() does not evaluate it's argument, so the dereference
    would not occur.
    
    So, for a long time, namespaces couldn't be turned on unless SYSFS was
    disabled.  Therefore, this code has largely been disabled except by
    people turning it on explicitly for namespace development.
    
    With help from Eugene Teo <eugene@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2570a4f5
exthdrs.c 20.5 KB