Bug#255406: kernel-source-2.4.26: Kernel crash when removing interface from wrong bridge group
Package: kernel-source-2.4.26
Severity: normal
Some time ago i found a kernel crash in 2.4.x and reported it to LKML.
Unfortunately i never recieved a reply, and i didn't see it in recent
pre-releases of the 2.4.x kernel.
To verify your system is vulnerable (need bridge support):
$ brctl addbr br0
$ brctl addbr br1
$ brctl addif br0 eth0
$ brctl delif br1 eth0
(note br1 in last line, not br0! Deleting from the wrong bridge triggers
the kernel crash.)
This is a 1:1 backport (100% copy&paste) from 2.6.5 of the fix.
Verify yourself, grab the file from 2.6.5, go to the function, copy the
code, paste it and the issue is done. Returns "einval" on invalid
requests instead of causing an inconsistency and a panic.
(fixed sometime in 2.5.x it seems; it might be worth looking at when
this was fixed - it might contain other fixes, too.)
--- net/bridge/br_if.c.2.4.21 2004-05-20 14:34:50.000000000 +0200
+++ net/bridge/br_if.c 2004-05-20 14:37:22.000000000 +0200
@@ -254,6 +254,10 @@
int br_del_if(struct net_bridge *br, struct net_device *dev)
{
int retval;
+ struct net_bridge_port *p;
+
+ if ((p = dev->br_port) == NULL || p->br != br)
+ return -EINVAL;
br_write_lock_bh(BR_NETPROTO_LOCK);
write_lock(&br->lock);
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro
Reply to: