From patchwork Thu Mar 17 17:21:25 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [CVE-2010-4342,
 Lucid] econet: Fix crash in aun_incoming(). CVE-2010-4342
From: Leann Ogasawara <leann.ogasawara@canonical.com>
X-Patchwork-Id: 87400
Message-Id: <1300382485.1813.6.camel@emiko>
To: kernel-team <kernel-team@lists.ubuntu.com>
Date: Thu, 17 Mar 2011 10:21:25 -0700

The following changes since commit 78006f719c80cc01424fb9a9d3bbd06eeba4dd13:
  Stefan Bader (1):
        Linux 2.6.32.33+drm33.15

are available in the git repository at:

  git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4342

David S. Miller (1):
      econet: Fix crash in aun_incoming(). CVE-2010-4342

 net/econet/af_econet.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

>From 4b4b8aef6afeedece57675ea94be2dda72a091a5 Mon Sep 17 00:00:00 2001
From: David S. Miller <davem@davemloft.net>
Date: Wed, 8 Dec 2010 18:42:23 -0800
Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342

CVE-2010-4342

BugLink: http://bugs.launchpad.net/bugs/736394

Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage <nelhage@ksplice.com>
Tested-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)

Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>

---
net/econet/af_econet.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index c9cf1ec..c5f152a 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 	struct iphdr *ip = ip_hdr(skb);
 	unsigned char stn = ntohl(ip->saddr) & 0xff;
 	struct sock *sk;
+	struct dst_entry *dst = skb_dst(skb);
+	struct ec_device *edev = NULL;
 	struct sk_buff *newskb;
-	struct ec_device *edev = skb->dev->ec_ptr;
+
+	if (dst)
+		edev = dst->dev->ec_ptr;
 
 	if (! edev)
 		goto bad;