From: Jiri Pirko <jpirko@redhat.com> Date: Thu, 5 Jun 2008 17:24:54 +0200 Subject: [net] sit: exploitable remote memory leak Message-id: 1212679494.3162.25.camel@dhcp-lab-145.englab.brq.redhat.com O-Subject: [RHEL5.3 patch] BZ446039 CVE-2008-2136 kernel: sit: exploitable remote memory leak Bugzilla: 446039 RH-Acked-by: James Morris <jmorris@redhat.com> RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: Anton Arapov <aarapov@redhat.com> BZ446039 https://bugzilla.redhat.com/show_bug.cgi?id=446039 Description Moved kfree_skb() right before return so it is also called in case of pskb_may_pull() failure. Upstream status: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02 Test status: Not tested, it's trivial obvious fix. Jirka net/ipv6/sit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 836eecd..cb81464 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -396,9 +396,9 @@ static int ipip6_rcv(struct sk_buff *skb) } icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); - kfree_skb(skb); read_unlock(&ipip6_lock); out: + kfree_skb(skb); return 0; }