[kernel] fix possible NULL pointer dereference in sock_sendpage()

 - CVE-2009-2692

SVN-Revision: 17308

diff --git a/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch b/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch
new file mode 100644 (file)
index 0000000..641c87d
--- /dev/null
+++ b/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch
@@ -0,0 +1,14 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -607,6 +607,9 @@ ssize_t sock_sendpage(struct file *file,
+       if (more)
+               flags |= MSG_MORE;
+ 
++      if (!sock->ops->sendpage)
++              return sock_no_sendpage(sock, page, offset, size, flags);
++
+       return sock->ops->sendpage(sock, page, offset, size, flags);
+ }
+ 

diff --git a/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch
new file mode 100644 (file)
index 0000000..faf5ec3
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch
@@ -0,0 +1,13 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -687,7 +687,7 @@ static ssize_t sock_sendpage(struct file
+       if (more)
+               flags |= MSG_MORE;
+ 
+-      return sock->ops->sendpage(sock, page, offset, size, flags);
++      return kernel_sendpage(sock, page, offset, size, flags);
+ }
+ 
+ static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,

diff --git a/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch
new file mode 100644 (file)
index 0000000..19214b8
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch
@@ -0,0 +1,13 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -688,7 +688,7 @@ static ssize_t sock_sendpage(struct file
+       if (more)
+               flags |= MSG_MORE;
+ 
+-      return sock->ops->sendpage(sock, page, offset, size, flags);
++      return kernel_sendpage(sock, page, offset, size, flags);
+ }
+ 
+ static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,

diff --git a/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch
new file mode 100644 (file)
index 0000000..1910c36
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch
@@ -0,0 +1,13 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -692,7 +692,7 @@ static ssize_t sock_sendpage(struct file
+       if (more)
+               flags |= MSG_MORE;
+ 
+-      return sock->ops->sendpage(sock, page, offset, size, flags);
++      return kernel_sendpage(sock, page, offset, size, flags);
+ }
+ 
+ static ssize_t sock_splice_read(struct file *file, loff_t *ppos,

diff --git a/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch
new file mode 100644 (file)
index 0000000..1910c36
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch
@@ -0,0 +1,13 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -692,7 +692,7 @@ static ssize_t sock_sendpage(struct file
+       if (more)
+               flags |= MSG_MORE;
+ 
+-      return sock->ops->sendpage(sock, page, offset, size, flags);
++      return kernel_sendpage(sock, page, offset, size, flags);
+ }
+ 
+ static ssize_t sock_splice_read(struct file *file, loff_t *ppos,