/[linux-patches]/genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1587 - (show annotations) (download) (as text)
Sat Jul 18 21:41:52 2009 UTC (11 years, 4 months ago) by mpagano
File MIME type: text/x-diff
File size: 1445 byte(s)
Adding patch to fix NULL pointer dereference in tun_chr_pool CVE-2009-1897
1 From: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
2 Date: Sun, 5 Jul 2009 19:48:35 +0000 (+0000)
3 Subject: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
4 X-Git-Tag: v2.6.31-rc3~40^2~15
5 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
6
7 tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
8
9 Fix NULL pointer dereference in tun_chr_pool() introduced by commit
10 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
11 packets per device") and triggered by this code:
12
13 int fd;
14 struct pollfd pfd;
15 fd = open("/dev/net/tun", O_RDWR);
16 pfd.fd = fd;
17 pfd.events = POLLIN | POLLOUT;
18 poll(&pfd, 1, 0);
19
20 Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
21 Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
22 Signed-off-by: David S. Miller <davem@davemloft.net>
23 ---
24
25 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
26 index b393536..027f7ab 100644
27 --- a/drivers/net/tun.c
28 +++ b/drivers/net/tun.c
29 @@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
30 {
31 struct tun_file *tfile = file->private_data;
32 struct tun_struct *tun = __tun_get(tfile);
33 - struct sock *sk = tun->sk;
34 + struct sock *sk;
35 unsigned int mask = 0;
36
37 if (!tun)
38 return POLLERR;
39
40 + sk = tun->sk;
41 +
42 DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
43
44 poll_wait(file, &tun->socket.wait, wait);
45

  ViewVC Help
Powered by ViewVC 1.1.20