From: Vitaly Mayatskikh <vmayatsk@redhat.com>
Date: Tue, 18 Aug 2009 19:11:42 +0200
Subject: [net] udp: socket NULL ptr dereference
Message-id: 87tz05gi7l.wl%vmayatsk@redhat.com
O-Subject: [kernel team] [RHEL-5.4 patch] bz518043 CVE-2009-2698 udp socket NULL ptr dereference
Bugzilla: 518043
RH-Acked-by: Thomas Graf <tgraf@redhat.com>
RH-Acked-by: Andy Gospodarek <gospo@redhat.com>
CVE: CVE-2009-2698

https://bugzilla.redhat.com/show_bug.cgi?id=518043

Description:
============
UDP tracks corking status through the pending variable.  The IP layer
also tracks it through the socket write queue.  It is possible for the
two to get out of sync when MSG_PROBE is used. When attacker also uses
MSG_MORE flag, next sendto() will kill the kernel, because struct
rtable was used without being initialized.

This patch changes UDP to check the write queue to ensure that the two
stay in sync.

Upstream status:
================
commit 1e0c14f49d6b393179f423abbac47f85618d3d46

Test status:
============
Tested with reproducer from https://bugzilla.redhat.com/show_bug.cgi?id=518034#c2
Patched kernel survives.

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 2b9f07d..d9f6108 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -672,6 +672,8 @@ do_append_data:
 		udp_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 	release_sock(sk);
 
 out:
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index f76f0a2..36d0301 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -882,6 +882,8 @@ do_append_data:
 		udp_v6_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_v6_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 
 	if (dst) {
 		if (connected) {