From: Al Viro Date: Mon, 4 Dec 2006 22:05:09 +0000 (+0000) Subject: [PATCH] remote memory corruptor in ibmtr.c X-Git-Tag: v2.6.20-rc1~34^2~40^2~5 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee28b0da1069ced1688aa9d0b7b378353b988321;p=linux-2.6 [PATCH] remote memory corruptor in ibmtr.c ip_summed changes last summer had missed that one. As the result, we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW, ->csum is interpreted as offset of checksum in the packet. net/core/* will both read and modify the value as that offset, with obvious reasons. At the very least it's a remote memory corruptor. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds --- diff --git a/drivers/net/tokenring/ibmtr.c b/drivers/net/tokenring/ibmtr.c index bfe59865b1..0d97e10cca 100644 --- a/drivers/net/tokenring/ibmtr.c +++ b/drivers/net/tokenring/ibmtr.c @@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev) skb->protocol = tr_type_trans(skb, dev); if (IPv4_p) { skb->csum = chksum; - skb->ip_summed = 1; + skb->ip_summed = CHECKSUM_COMPLETE; } netif_rx(skb); dev->last_rx = jiffies;