From: Al Viro <viro@hera.kernel.org>
Date: Mon, 4 Dec 2006 22:05:09 +0000 (+0000)
Subject: [PATCH] remote memory corruptor in ibmtr.c
X-Git-Tag: v2.6.20^0~684^2~145^2~5
X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ee28b0da1069ced1688aa9d0b7b378353b988321;hp=87fcd70d983d30eca4b933fff2e97d9a31743d0a

[PATCH] remote memory corruptor in ibmtr.c

ip_summed changes last summer had missed that one.  As the result,
we have ip_summed interpreted as CHECKSUM_PARTIAL now.  IOW,
->csum is interpreted as offset of checksum in the packet.  net/core/*
will both read and modify the value as that offset, with obvious
reasons.  At the very least it's a remote memory corruptor.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Index: linux-2.6.18/drivers/net/tokenring/ibmtr.c
===================================================================
--- linux-2.6.18.orig/drivers/net/tokenring/ibmtr.c
+++ linux-2.6.18/drivers/net/tokenring/ibmtr.c
@@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev
 	skb->protocol = tr_type_trans(skb, dev);
 	if (IPv4_p) {
 		skb->csum = chksum;
-		skb->ip_summed = 1;
+		skb->ip_summed = CHECKSUM_COMPLETE;
 	}
 	netif_rx(skb);
 	dev->last_rx = jiffies;