2.4.36-stable kernel tree
Revision | e642722f285e8fd335d109c557bb90b50cc10bd5 (tree) |
---|---|
Zeit | 2006-09-29 06:28:50 |
Autor | dann frazier <dannf@debi...> |
Commiter | Willy Tarreau |
[PATCH] Backport fix for CVE-2006-4997 to 2.4 tree
Backport fix for CVE-2006-4997 to 2.4 tree, compile tested.
Original commit message follows.
[ATM] CLIP: Do not refer freed skbuff in clip_mkip().
In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.
Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).
Original patch by YOSHIFUJI Hideaki.
Signed-off-by: dann frazier <dannf@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
@@ -489,9 +489,11 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout) | ||
489 | 489 | else { |
490 | 490 | unsigned int len = skb->len; |
491 | 491 | |
492 | + skb_get(skb); | |
492 | 493 | clip_push(vcc,skb); |
493 | 494 | PRIV(skb->dev)->stats.rx_packets--; |
494 | 495 | PRIV(skb->dev)->stats.rx_bytes -= len; |
496 | + kfree_skb(skb); | |
495 | 497 | } |
496 | 498 | return 0; |
497 | 499 | } |