1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch
new file mode 100644
index 0000000..abd4430
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch
@@ -0,0 +1,52 @@
+From c5c56513b779cb082d05f63c606bde9321d395fb Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Tue, 22 Apr 2014 13:52:58 +0200
+Subject: [PATCH] net: fib: fib6_add: fix potential NULL pointer dereference
+When the kernel is compiled with CONFIG_IPV6_SUBTREES, and we return
+with an error in fn = fib6_add_1(), then error codes are encoded into
+the return pointer e.g. ERR_PTR(-ENOENT). In such an error case, we
+write the error code into err and jump to out, hence enter the if(err)
+condition. Now, if CONFIG_IPV6_SUBTREES is enabled, we check for:
+if (pn != fn && pn->leaf == rt)
+...
+if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO))
+...
+Since pn is NULL and fn is f.e. ERR_PTR(-ENOENT), then pn != fn
+evaluates to true and causes a NULL-pointer dereference on further
+checks on pn. Fix it, by setting both NULL in error case, so that
+pn != fn already evaluates to false and no further dereference
+takes place.
+This was first correctly implemented in 4a287eba2 ("IPv6 routing,
+NLM_F_* flag support: REPLACE and EXCL flags support, warn about
+missing CREATE flag"), but the bug got later on introduced by
+188c517a0 ("ipv6: return errno pointers consistently for fib6_add_1()").
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Lin Ming <mlin@ss.pku.edu.cn>
+Cc: Matti Vaittinen <matti.vaittinen@nsn.com>
+Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Matti Vaittinen <matti.vaittinen@nsn.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv6/ip6_fib.c |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 5fc9c7a..45562f6 100644
+--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
+@@ -828,6 +828,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
+ 
+        if (IS_ERR(fn)) {
+                err = PTR_ERR(fn);
+                fn = NULL;
+                goto out;
+        }
+ 
+-- 
+1.7.10.4

diff --git a/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch new file mode 100644 index 0000000..abd4430 --- /dev/null +++ b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch
@@ -0,0 +1,52 @@
	1	From c5c56513b779cb082d05f63c606bde9321d395fb Mon Sep 17 00:00:00 2001
	2	From: Sona Sarmadi <sona.sarmadi@enea.com>
	3	Date: Tue, 22 Apr 2014 13:52:58 +0200
	4	Subject: [PATCH] net: fib: fib6_add: fix potential NULL pointer dereference
	5
	6	When the kernel is compiled with CONFIG_IPV6_SUBTREES, and we return
	7	with an error in fn = fib6_add_1(), then error codes are encoded into
	8	the return pointer e.g. ERR_PTR(-ENOENT). In such an error case, we
	9	write the error code into err and jump to out, hence enter the if(err)
	10	condition. Now, if CONFIG_IPV6_SUBTREES is enabled, we check for:
	11	if (pn != fn && pn->leaf == rt)
	12	...
	13	if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO))
	14	...
	15	Since pn is NULL and fn is f.e. ERR_PTR(-ENOENT), then pn != fn
	16	evaluates to true and causes a NULL-pointer dereference on further
	17	checks on pn. Fix it, by setting both NULL in error case, so that
	18	pn != fn already evaluates to false and no further dereference
	19	takes place.
	20
	21	This was first correctly implemented in 4a287eba2 ("IPv6 routing,
	22	NLM_F_* flag support: REPLACE and EXCL flags support, warn about
	23	missing CREATE flag"), but the bug got later on introduced by
	24	188c517a0 ("ipv6: return errno pointers consistently for fib6_add_1()").
	25
	26	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
	27	Cc: Lin Ming <mlin@ss.pku.edu.cn>
	28	Cc: Matti Vaittinen <matti.vaittinen@nsn.com>
	29	Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
	30	Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
	31	Acked-by: Matti Vaittinen <matti.vaittinen@nsn.com>
	32	Signed-off-by: David S. Miller <davem@davemloft.net>
	33	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	34	---
	35	net/ipv6/ip6_fib.c \| 1 +
	36	1 file changed, 1 insertion(+)
	37
	38	diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
	39	index 5fc9c7a..45562f6 100644
	40	--- a/net/ipv6/ip6_fib.c
	41	+++ b/net/ipv6/ip6_fib.c
	42	@@ -828,6 +828,7 @@ int fib6_add(struct fib6_node root, struct rt6_info rt, struct nl_info *info)
	43
	44	if (IS_ERR(fn)) {
	45	err = PTR_ERR(fn);
	46	+ fn = NULL;
	47	goto out;
	48	}
	49
	50	--
	51	1.7.10.4
	52