[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)

There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
author: James Morris <jmorris@namei.org> 2006-11-05 09:00:45 +0100
committer: Adrian Bunk <bunk@stusta.de> 2006-11-05 09:00:45 +0100
commit: d1ce361a6c0115e2ef500e9e7dfe77763d287fcd (patch)
tree: cc00ae16fafd01c4293d404d3c5c53a61b40f49c /net/ipv6
parent: e4943436e258e9f993be30d7ab41f7202f8adbf7 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 69cbe8a66d02..c19f5e30fc2f 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -589,6 +589,8 @@ static struct ip6_flowlabel *ip6fl_get_next(struct seq_file *seq, struct ip6_flo
 	while (!fl) {
 		if (++state->bucket <= FL_HASH_MASK)
 			fl = fl_ht[state->bucket];
+		else
+			break;
 	}
 	return fl;
 }
author	James Morris <jmorris@namei.org>	2006-11-05 09:00:45 +0100
committer	Adrian Bunk <bunk@stusta.de>	2006-11-05 09:00:45 +0100
commit	d1ce361a6c0115e2ef500e9e7dfe77763d287fcd (patch)
tree	cc00ae16fafd01c4293d404d3c5c53a61b40f49c /net/ipv6
parent	e4943436e258e9f993be30d7ab41f7202f8adbf7 (diff)