[FEISTY] CVE-2007-1388: [PATCH] [IPV6]: Fix for ipv6_setsockopt NULL dereference
Phillip lougher
phillip at lougher.demon.co.uk
Tue May 1 23:50:58 UTC 2007
>From 7464e88aa8e5444192fe5dd7d52227aa2e6cf582 Mon Sep 17 00:00:00 2001
From: Olaf Kirch <olaf.kirch at oracle.com>
Date: Fri, 9 Mar 2007 23:03:53 -0800
Subject: [PATCH] [IPV6]: Fix for ipv6_setsockopt NULL dereference (CVE-2007-1388)
Gabriel Campana discovered that the do_ipv6_setsockopt() function did
not sufficiently verifiy option values for IPV6_RTHDR. A local
attacker could exploit this to trigger a kernel crash.
Signed-off-by: Olaf Kirch <olaf.kirch at oracle.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
net/ipv6/ipv6_sockglue.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 23db88e..b20726f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -414,7 +414,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
}
/* routing header option needs extra check */
- if (optname == IPV6_RTHDR && opt->srcrt) {
+ if (optname == IPV6_RTHDR && opt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = opt->srcrt;
switch (rthdr->type) {
case IPV6_SRCRT_TYPE_0:
--
1.4.4.2
More information about the kernel-team
mailing list