kernel-CVE-2011-1927.patch

   1 diff -ur linux-2.6.38-orig/net/ipv4/ip_fragment.c linux-2.6.38/net/ipv4/ip_fragment.c
   2 --- linux-2.6.38-orig/net/ipv4/ip_fragment.c    2011-03-15 02:20:32.000000000 +0100
   3 +++ linux-2.6.38/net/ipv4/ip_fragment.c 2011-05-19 22:17:57.229544248 +0200
   4 @@ -223,32 +223,31 @@
   5
   6         if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
   7                 struct sk_buff *head = qp->q.fragments;
   8 +               const struct iphdr *iph;
   9 +               int err;
  10
  11                 rcu_read_lock();
  12                 head->dev = dev_get_by_index_rcu(net, qp->iif);
  13                 if (!head->dev)
  14                         goto out_rcu_unlock;
  15 +
  16 +               /* skb dst is stale, drop it, and perform route lookup again */
  17 +               skb_dst_drop(head);
  18 +               iph = ip_hdr(head);
  19 +               err = ip_route_input_noref(head, iph->daddr, iph->saddr,
  20 +                                                                       iph->tos, head->dev);
  21 +               if (err)
  22 +                               goto out_rcu_unlock;
  23
  24                 /*
  25 -                * Only search router table for the head fragment,
  26 -                * when defraging timeout at PRE_ROUTING HOOK.
  27 +                * Only an end host needs to send an ICMP
  28 +                * "Fragment Reassembly Timeout" message, per RFC792.
  29                  */
  30 -               if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
  31 -                       const struct iphdr *iph = ip_hdr(head);
  32 -                       int err = ip_route_input(head, iph->daddr, iph->saddr,
  33 -                                                iph->tos, head->dev);
  34 -                       if (unlikely(err))
  35 -                               goto out_rcu_unlock;
  36 -
  37 -                       /*
  38 -                        * Only an end host needs to send an ICMP
  39 -                        * "Fragment Reassembly Timeout" message, per RFC792.
  40 -                        */
  41 -                       if (skb_rtable(head)->rt_type != RTN_LOCAL)
  42 +
  43 +               if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
  44 +                       skb_rtable(head)->rt_type != RTN_LOCAL)
  45                                 goto out_rcu_unlock;
  46
  47 -               }
  48 -
  49                 /* Send an ICMP "Fragment Reassembly Timeout" message. */
  50                 icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
  51  out_rcu_unlock:
  52 Tylko w linux-2.6.38/net/ipv4: ip_fragment.c~