oss-sec mailing list archives

Re: kernel: l2tp: Fix oops in pppol2tp_xmit

From: Josh Bressers <bressers () redhat com>
Date: Tue, 6 Jul 2010 15:09:40 -0400 (EDT)

Please use CVE-2010-2495

Thanks.

-- 
    JB


----- "Eugene Teo" <eugeneteo () kernel sg> wrote:

"When transmitting L2TP frames, we derive the outgoing interface's UDP

checksum hardware assist capabilities from the tunnel dst dev. This
can 
sometimes be NULL, especially when routing protocols are used and 
routing changes occur. This patch just checks for NULL dst or dev 
pointers when checking for netdev hardware assist features.

     BUG: unable to handle kernel NULL pointer dereference at
0000000c
     IP: [<f89d074c>] pppol2tp_xmit+0x341/0x4da [pppol2tp]
     *pde = 00000000
     Oops: 0000 [#1] SMP
     last sysfs file: /sys/class/net/lo/operstate
[...]"

Introduced in ffcebb16 (v2.6.29-rc1~581), fixed in 3feec909 (fixed in

v2.6.34-rc2). (It was later split into different files in commit 
fd558d18 v2.6.35-rc1).

I'm not requesting a CVE name for this because it did not affect any
of 
our supported kernels. FYI.

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
}

Current thread:

Re: kernel: l2tp: Fix oops in pppol2tp_xmit Moritz Muehlenhoff (Jul 04)
- Re: CVE Request: kernel: l2tp: Fix oops in pppol2tp_xmit Eugene Teo (Jul 04)
- <Possible follow-ups>
- Re: kernel: l2tp: Fix oops in pppol2tp_xmit Josh Bressers (Jul 06)