Commit d0239f35 authored by James Morris's avatar James Morris Committed by Chris Wright

[PATCH] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619]

There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.

This patch fixes the problem by breaking after the hash bucket has been
traversed.

Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
parent f3fcd7f6
...@@ -587,6 +587,8 @@ static struct ip6_flowlabel *ip6fl_get_next(struct seq_file *seq, struct ip6_flo ...@@ -587,6 +587,8 @@ static struct ip6_flowlabel *ip6fl_get_next(struct seq_file *seq, struct ip6_flo
while (!fl) { while (!fl) {
if (++state->bucket <= FL_HASH_MASK) if (++state->bucket <= FL_HASH_MASK)
fl = fl_ht[state->bucket]; fl = fl_ht[state->bucket];
else
break;
} }
return fl; return fl;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment