linux-hardened/net/ipv6
Brian Haley 5e0115e500 ipv6: Fix OOPS, ip -f inet6 route get fec0::1, linux-2.6.26, ip6_route_output, rt6_fill_node+0x175
Alexey Dobriyan wrote:
> On Thu, Aug 07, 2008 at 07:00:56PM +0200, John Gumb wrote:
>> Scenario: no ipv6 default route set.
> 
>> # ip -f inet6 route get fec0::1
>>
>> BUG: unable to handle kernel NULL pointer dereference at 00000000
>> IP: [<c0369b85>] rt6_fill_node+0x175/0x3b0
>> EIP is at rt6_fill_node+0x175/0x3b0
> 
> 0xffffffff80424dd3 is in rt6_fill_node (net/ipv6/route.c:2191).
> 2186                    } else
> 2187    #endif
> 2188                            NLA_PUT_U32(skb, RTA_IIF, iif);
> 2189            } else if (dst) {
> 2190                    struct in6_addr saddr_buf;
> 2191      ====>         if (ipv6_dev_get_saddr(ip6_dst_idev(&rt->u.dst)->dev,
>					       ^^^^^^^^^^^^^^^^^^^^^^^^
>											NULL
> 
> 2192                                           dst, 0, &saddr_buf) == 0)
> 2193                            NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf);
> 2194            }

The commit that changed this can't be reverted easily, but the patch
below works for me.

Fix NULL de-reference in rt6_fill_node() when there's no IPv6 input
device present in the dst entry.

Signed-off-by: Brian Haley <brian.haley@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-08-13 01:58:57 -07:00
..
netfilter netfilter: ip{,6}tables_security: fix future section mismatch 2008-07-26 17:48:38 -07:00
addrconf.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
addrconf_core.c [IPV6]: ipv6_addr_type() doesn't know about RFC4193 addresses. 2007-07-31 02:28:21 -07:00
addrlabel.c ipv6 netns: Address labels per namespace 2008-06-12 02:38:15 +09:00
af_inet6.c net: missing bits of net-namespace / sysctl 2008-07-27 04:40:51 -07:00
ah6.c [IPSEC]: Fix bogus usage of u64 on input sequence number 2008-02-12 22:50:35 -08:00
anycast.c ipv6 netns: Make several "global" sysctl variables namespace aware. 2008-07-19 22:35:03 -07:00
datagram.c IPv6: datagram_send_ctl() should exit immediately when an error occured 2008-07-29 23:57:58 -07:00
esp6.c ipsec: Interfamily IPSec BEET, ipv4-inner ipv6-outer 2008-08-06 02:40:25 -07:00
exthdrs.c ipv6 netns: Make several "global" sysctl variables namespace aware. 2008-07-19 22:35:03 -07:00
exthdrs_core.c [NET] IPV6: Fix whitespace errors. 2007-02-10 23:19:42 -08:00
fib6_rules.c [IPV6] FIB_RULE: Sparse: fib6_rules_cleanup() is of void. 2008-04-11 19:47:53 +09:00
icmp.c icmp: fix units for ratelimit 2008-07-01 19:29:07 -07:00
inet6_connection_sock.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
inet6_hashtables.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
ip6_fib.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
ip6_flowlabel.c [IPV6] NETNS: Handle ancillary data in appropriate namespace. 2008-06-05 04:02:36 +09:00
ip6_input.c ipv6 netns: Make several "global" sysctl variables namespace aware. 2008-07-19 22:35:03 -07:00
ip6_output.c ipv6: Do not drop packet if skb->local_df is set to true 2008-08-03 21:15:59 -07:00
ip6_tunnel.c net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ip6mr.c netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
ipcomp6.c ipcomp: Fix warnings after ipcomp consolidation. 2008-07-27 03:59:24 -07:00
ipv6_sockglue.c ipv6: Fix the return value of Set Hop-by-Hop options header with NULL data pointer 2008-08-03 18:16:15 -07:00
Kconfig ipsec: ipcomp - Merge IPComp implementations 2008-07-25 02:54:40 -07:00
Makefile [IPV6] MROUTE: Support multicast forwarding. 2008-04-05 22:33:38 +09:00
mcast.c ipv6 mcast: Omit redundant address family checks in ip6_mc_source(). 2008-07-19 22:36:07 -07:00
mip6.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
ndisc.c ipv6 netns: Make several "global" sysctl variables namespace aware. 2008-07-19 22:35:03 -07:00
netfilter.c [NETFILTER]: Add partial checksum validation helper 2008-04-14 11:15:49 +02:00
proc.c ipv6: Fix useless proc net sockstat6 removal 2008-07-30 03:27:52 -07:00
protocol.c net: remove CVS keywords 2008-06-11 21:00:38 -07:00
raw.c ipv6: remove unused parameter from ip6_ra_control 2008-07-19 00:28:58 -07:00
reassembly.c net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
route.c ipv6: Fix OOPS, ip -f inet6 route get fec0::1, linux-2.6.26, ip6_route_output, rt6_fill_node+0x175 2008-08-13 01:58:57 -07:00
sit.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-06-16 18:25:48 -07:00
syncookies.c ipv6: syncookies: free reqsk on xfrm_lookup error 2008-08-03 18:13:44 -07:00
sysctl_net_ipv6.c net: missing bits of net-namespace / sysctl 2008-07-27 04:40:51 -07:00
tcp_ipv6.c tcp: Fix kernel panic when calling tcp_v(4/6)_md5_do_lookup 2008-08-06 23:50:04 -07:00
tunnel6.c [IPV6] TUNNEL6: Fix incoming packet length check for inter-protocol tunnel. 2008-06-05 04:02:32 +09:00
udp.c udp: Drop socket lock for encapsulated packets 2008-08-09 00:35:05 -07:00
udp_impl.h net: change proto destroy method to return void 2008-06-14 17:04:49 -07:00
udplite.c net: remove CVS keywords 2008-06-11 21:00:38 -07:00
xfrm6_input.c [XFRM] IPV6: Optimize xfrm6_input_addr(). 2008-03-25 10:23:56 +09:00
xfrm6_mode_beet.c ipsec: Interfamily IPSec BEET, ipv4-inner ipv6-outer 2008-08-06 02:40:25 -07:00
xfrm6_mode_ro.c [IPSEC]: Make x->lastused an unsigned long 2008-01-28 14:53:52 -08:00
xfrm6_mode_transport.c [IPSEC]: Use IPv6 calling convention as the convention for x->mode->output 2007-10-10 16:55:54 -07:00
xfrm6_mode_tunnel.c [IPSEC]: Fix inter address family IPsec tunnel handling. 2008-03-24 14:51:51 -07:00
xfrm6_output.c [IPSEC]: Fix inter address family IPsec tunnel handling. 2008-03-24 14:51:51 -07:00
xfrm6_policy.c [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
xfrm6_state.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-03-27 18:48:56 -07:00
xfrm6_tunnel.c [XFRM] IPV6: Optimize __xfrm_tunnel_alloc_spi(). 2008-03-25 10:23:57 +09:00