target/linux/linux-2.4/patches/generic/215_net-bridge-if_del-panic.patch

   1 # Date: Sun, 20 Jun 2004 19:56:26 +0200
   2 # From: Erich Schubert <erich@debian.org>
   3 # Changes: Rebackported from 2.6.14, Horms <horms@debian.org>
   4 # Reported: http://bugs.debian.org/255406
   5 # Security: No
   6 # Upstream: Forwarded to upstream
   7
   8 Package: kernel-source-2.4.26
   9 Severity: normal
  10
  11 Some time ago i found a kernel crash in 2.4.x and reported it to LKML.
  12 Unfortunately i never recieved a reply, and i didn't see it in recent
  13 pre-releases of the 2.4.x kernel.
  14
  15 To verify your system is vulnerable (need bridge support):
  16 $ brctl addbr br0
  17 $ brctl addbr br1
  18 $ brctl addif br0 eth0
  19 $ brctl delif br1 eth0
  20 (note br1 in last line, not br0! Deleting from the wrong bridge triggers
  21 the kernel crash.)
  22
  23 This is a 1:1 backport (100% copy&paste) from 2.6.5 of the fix.
  24 Verify yourself, grab the file from 2.6.5, go to the function, copy the
  25 code, paste it and the issue is done. Returns "einval" on invalid
  26 requests instead of causing an inconsistency and a panic.
  27
  28 (fixed sometime in 2.5.x it seems; it might be worth looking at when
  29 this was fixed - it might contain other fixes, too.)
  30
  31 --- a/net/bridge/br_if.c        2005-11-16 14:46:05.000000000 +0900
  32 +++ b/net/bridge/br_if.c        2005-11-16 14:46:09.000000000 +0900
  33 @@ -246,6 +246,10 @@
  34  int br_del_if(struct net_bridge *br, struct net_device *dev)
  35  {
  36         int retval;
  37 +       struct net_bridge_port *p = dev->br_port;
  38 +
  39 +       if (!p || p->br != br)
  40 +               return -EINVAL;
  41
  42         br_write_lock_bh(BR_NETPROTO_LOCK);
  43         write_lock(&br->lock);