2009-11-26 11:10:33

by David Ford

Subject: [PATCH] additional update of dev_net(net) to struct *net in ip_fragment.c, NULL ptr OOPS

ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
previously patched into 2.6.29.

--- linux-2.6.32-rc8/net/ipv4/ip_fragment.c.orig 2009-09-09
18:13:59.000000000 -0400
+++ linux-2.6.32-rc8/net/ipv4/ip_fragment.c 2009-11-26
05:02:43.000000000 -0500
@@ -563,7 +563,7 @@
printk(KERN_INFO "Oversized IP packet from %pI4.\n",
&qp->saddr);
out_fail:
- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
+ IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
return err;
}

Signed-off-by: David Ford <[email protected]>



Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
changing from dev_net(dev) to container_of(...). Unfortunately the goto
section (out_fail) on oversized packets inside ip_frag_reasm() didn't
get touched up as well. Oversized IP packets cause a NULL pointer
dereference and immediate hang.

I discovered this running openvasd and my previous email on this is
titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566

-david