[PATCH 59/61] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619]

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: James Morris <jmorris@xxxxxxxxx>

There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, 
after finding a flowlabel, the code will loop forever not finding any 
further flowlabels, first traversing the rest of the hash bucket then just 
looping.

This patch fixes the problem by breaking after the hash bucket has been 
traversed.

Note that this bug can cause lockups and oopses, and is trivially invoked 
by an unpriveleged user.

Signed-off-by: James Morris <jmorris@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
---
 net/ipv6/ip6_flowlabel.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.18.1.orig/net/ipv6/ip6_flowlabel.c
+++ linux-2.6.18.1/net/ipv6/ip6_flowlabel.c
@@ -587,6 +587,8 @@ static struct ip6_flowlabel *ip6fl_get_n
 	while (!fl) {
 		if (++state->bucket <= FL_HASH_MASK)
 			fl = fl_ht[state->bucket];
+		else
+			break;
 	}
 	return fl;
 }

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/