From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4 Description of problem: This one is user-triggerable (local only). Oops should be trivial, haven't convinced myself if priv-escalation is possible. It's public (upstream, and pending for -stable), so just an FYI. Version-Release number of selected component (if applicable): kernel-2.6.9-11 How reproducible: Always Steps to Reproduce: 1.boot the kernel 2.network related 3. Additional info: ----- Forwarded message from Chris Wright <chrisw osdl org> ----- Date: Wed, 3 Aug 2005 00:01:27 -0700 From: Chris Wright <chrisw osdl org> User-Agent: Mutt/1.5.6i To: linux-kernel vger kernel org, stable kernel org Cc: akpm osdl org, Theodore Ts'o <tytso mit edu>, Zwane Mwaikambo <zwane arm linux org uk>, Justin Forbes <jmforbes linuxtx org>, Randy Dunlap <rdunlap xenotime net>, torvalds osdl org, Chuck Wolber <chuckw quantumlinux com>, "David S. Miller" <davem davemloft net>, alan lxorguk ukuu org uk, Herbert Xu <herbert gondor apana org au> Subject: [09/13] [XFRM]: Fix possible overflow of sock->sk_policy -stable review patch. If anyone has any objections, please let us know. ------------------ From: Herbert Xu <herbert gondor apana org au> [XFRM]: Fix possible overflow of sock->sk_policy Spotted by, and original patch by, Balazs Scheidler. Signed-off-by: Herbert Xu <herbert gondor apana org au> Signed-off-by: David S. Miller <davem davemloft net> Signed-off-by: Chris Wright <chrisw osdl org> Signed-off-by: Greg Kroah-Hartman <gregkh suse de> --- net/xfrm/xfrm_user.c | 3 +++ 1 files changed, 3 insertions(+) --- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c 2005-07-28 11:17:01.000000000 -0700 +++ linux-2.6.12.3/net/xfrm/xfrm_user.c 2005-07-28 11:17:18.000000000 -0700 @@ -1180,6 +1180,9 @@ if (nr > XFRM_MAX_DEPTH) return NULL; + if (p->dir > XFRM_POLICY_OUT) + return NULL; + xp = xfrm_policy_alloc(GFP_KERNEL); if (xp == NULL) { *dir = -ENOBUFS; ----- End forwarded message -----
*** This bug has been marked as a duplicate of 165560 ***