Red Hat Bugzilla – Bug 207306
CVE-2006-4997 IP over ATM clip_mkip dereference freed pointer
Last modified: 2007-11-30 17:06:55 EST
Reported by ADLab, Venustech info Ltd CHINA: There is a vulnerability in function clip_mkip() in net/atm/clip.c. When re-processing received data, a struct sk_buff pointer skb may be dereferenced after a free operation. It will lead to a kernel panic and denying further service. clip_mkip (clip.c): 502 while ((skb = skb_dequeue(©)) != NULL) 503 if (!clip_devs) { 504 atm_return(vcc,skb->truesize); 505 kfree_skb(skb); 506 } 507 else { 508 unsigned int len = skb->len; 509 510 clip_push(vcc,skb); 511 PRIV(skb->dev)->stats.rx_packets--; 512 PRIV(skb->dev)->stats.rx_bytes -= len; 513 } At line 511, PRIV(skb->dev) reference skb->dev; but after call clip_push at line 510, skb may be freed. clip_push (clip.c): 198 static void clip_push(struct atm_vcc *vcc,struct sk_buff *skb) 199 { ...... 234 memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); 235 netif_rx(skb); 236 } netif_rx (dev.c): 1392 int netif_rx(struct sk_buff *skb) 1393 { ...... 1428 kfree_skb(skb); //drop skb 1429 return NET_RX_DROP; 1430 } In netif_rx(), skb may be dropped during processing for congestion control or by the protocol layers; the return value NET_RX_DROP is used to identify skb pointer arg is dropped(freed).
QE ack for 2.1 maintenance delivery.
Verified that the fix for this is in linux-2.4.9-smallfixes.patch and is being applied to e.71.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0013.html