Bug 207306
| Summary: | CVE-2006-4997 IP over ATM clip_mkip dereference freed pointer | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Marcel Holtmann <holtmann> |
| Component: | kernel | Assignee: | Don Howard <dhoward> |
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.1 | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | impact=moderate,reported=20060912,source=lkml,public=20060912 | ||
| Fixed In Version: | RHSA-2007-0013 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-01-17 10:15:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 143573 | ||
QE ack for 2.1 maintenance delivery. Verified that the fix for this is in linux-2.4.9-smallfixes.patch and is being applied to e.71. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0013.html |
Reported by ADLab, Venustech info Ltd CHINA: There is a vulnerability in function clip_mkip() in net/atm/clip.c. When re-processing received data, a struct sk_buff pointer skb may be dereferenced after a free operation. It will lead to a kernel panic and denying further service. clip_mkip (clip.c): 502 while ((skb = skb_dequeue(©)) != NULL) 503 if (!clip_devs) { 504 atm_return(vcc,skb->truesize); 505 kfree_skb(skb); 506 } 507 else { 508 unsigned int len = skb->len; 509 510 clip_push(vcc,skb); 511 PRIV(skb->dev)->stats.rx_packets--; 512 PRIV(skb->dev)->stats.rx_bytes -= len; 513 } At line 511, PRIV(skb->dev) reference skb->dev; but after call clip_push at line 510, skb may be freed. clip_push (clip.c): 198 static void clip_push(struct atm_vcc *vcc,struct sk_buff *skb) 199 { ...... 234 memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); 235 netif_rx(skb); 236 } netif_rx (dev.c): 1392 int netif_rx(struct sk_buff *skb) 1393 { ...... 1428 kfree_skb(skb); //drop skb 1429 return NET_RX_DROP; 1430 } In netif_rx(), skb may be dropped during processing for congestion control or by the protocol layers; the return value NET_RX_DROP is used to identify skb pointer arg is dropped(freed).