icmp: prevent possible NULL dereferences from icmp_build_probe() (!4366) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Antoine Tenart requested to merge atenart/centos-stream-9:c9s/RHEL-37002/icmp-null into main May 30, 2024

JIRA: https://issues.redhat.com/browse/RHEL-37002
Upstream Status: linux.git
CVE: CVE-2024-35857

commit c58e88d49097bd12dfcfef4f075b43f5d5830941
Author: Eric Dumazet edumazet@google.com
Date: Sat Apr 20 07:01:16 2024 +0000

icmp: prevent possible NULL dereferences from icmp_build_probe()  

First problem is a double call to __in_dev_get_rcu(), because  
the second one could return NULL.  

if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)  

Second problem is a read from dev->ip6_ptr with no NULL check:  

if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))  

Use the correct RCU API to fix these.  

v2: add missing include <net/addrconf.h>  

Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")  
Signed-off-by: Eric Dumazet <edumazet@google.com>  
Cc: Andreas Roeseler <andreas.a.roeseler@gmail.com>  
Reviewed-by: David Ahern <dsahern@kernel.org>  
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Antoine Tenart atenart@redhat.com

icmp: prevent possible NULL dereferences from icmp_build_probe()

Merge request reports