From: Andrew Morton <[EMAIL PROTECTED]> Date: Tue, 7 Mar 2006 16:41:02 -0800
> [EMAIL PROTECTED] wrote: > > > > http://bugzilla.kernel.org/show_bug.cgi?id=6186 > > > > Summary: net/ipv4/route.c: use after free in rt_fill_info > > Kernel Version: 2.6.16-git > > Status: NEW > > Severity: normal > > Owner: [EMAIL PROTECTED] > > Submitter: [EMAIL PROTECTED] > > > > > > When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the > > case > > where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved). > > > > Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the > > deallocated skb. > > > > A coverity catch, I assume? In any case, this particular code can't work at all and it's been a known problem for at least 2 years but nobody has felt inspired to work on it. This ipmr_get_route() function is getting a netlink SKB to fill in the info, but if it can't find the cached entry it uses that SKB as a normal IPv4 packet to try and resolve a new cache entry totally clobbering the caller's state. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
