Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Mar 2010 11:36:44 +0800
From: Eugene Teo <>
CC: "Steven M. Christey" <>
Subject: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS)

Upstream commit:

Description from the commit:
"The server side sets IPV6_RECVPKTINFO on a listening socket, and the 
client side just sends a message to the server.  Then the kernel panic 
occurs on the server.

This problem happens because a skb is forcibly freed in

When a socket in listening state(TCP_LISTEN) receives a syn packet, then
tcp_v6_conn_request() will be called from tcp_rcv_state_process().  If 
the tcp_v6_conn_request() successfully returns, the skb would be 
discarded by __kfree_skb().

However, in case of a listening socket which was already set 
IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts 
and a ref count of the skb will be incremented in tcp_v6_conn_request(). 
  But, even if the skb is still in use, the skb will be freed.  Then 
someone still using the freed skb will cause the kernel panic."

Triggering this could result in a general protection fault.


Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ