Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 3096

kernel-2.6.18-238.el5.src.rpm

From: Jiri Pirko <jpirko@redhat.com>
Date: Thu, 5 Jun 2008 17:24:54 +0200
Subject: [net] sit: exploitable remote memory leak
Message-id: 1212679494.3162.25.camel@dhcp-lab-145.englab.brq.redhat.com
O-Subject: [RHEL5.3 patch] BZ446039 CVE-2008-2136 kernel: sit: exploitable remote memory leak
Bugzilla: 446039
RH-Acked-by: James Morris <jmorris@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: Anton Arapov <aarapov@redhat.com>

BZ446039
https://bugzilla.redhat.com/show_bug.cgi?id=446039

Description
Moved kfree_skb() right before return so it is also called in case of
pskb_may_pull() failure.

Upstream status:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02

Test status:
Not tested, it's trivial obvious fix.

Jirka

 net/ipv6/sit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 836eecd..cb81464 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -396,9 +396,9 @@ static int ipip6_rcv(struct sk_buff *skb)
 	}
 
 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-	kfree_skb(skb);
 	read_unlock(&ipip6_lock);
 out:
+	kfree_skb(skb);
 	return 0;
 }