Red Hat Bugzilla – Bug 544144
CVE-2009-1298 kernel: ip_frag_reasm() NULL pointer dereference
Last modified: 2010-04-08 16:45:57 EDT
Description of problem:
ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined previously patched into 2.6.29.
Between 126.96.36.199 and 2.6.29, net/ipv4/ip_fragment.c was patched, changing from dev_net(dev) to container_of(...). Unfortunately the goto section (out_fail) on oversized packets inside ip_frag_reasm() didn't get touched up as well. Oversized IP packets cause a NULL pointer dereference and immediate hang.
I discovered this running openvasd and my previous email on this is titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
We have addressed this issue in kernel-188.8.131.52-102.fc11 and kernel-184.108.40.206-162.fc12.
kernel-220.127.116.11-102.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kernel-18.104.22.168-162.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in Fedora via FEDORA-2009-12786 (Fedora 11) and FEDORA-2009-12825 (Fedora 12).