[PATCH] remote memory corruptor in ibmtr.c ip_summed changes last summer had missed that one. As the result, we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW, ->csum is interpreted as offset of checksum in the packet. net/core/* will both read and modify the value as that offset, with obvious reasons. At the very least it's a remote memory corruptor. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: ee28b0da1069ced1688aa9d0b7b378353b988321 [log] [tgz]
author: Al Viro <viro@hera.kernel.org> Mon Dec 04 22:05:09 2006 +0000
committer: Linus Torvalds <torvalds@woody.osdl.org> Mon Dec 04 19:32:44 2006 -0800
tree: 571ce21b27d55c155fbc3e4b981cfc3233939a09
parent: 87fcd70d983d30eca4b933fff2e97d9a31743d0a [diff]
diff --git a/drivers/net/tokenring/ibmtr.c b/drivers/net/tokenring/ibmtr.c
index bfe5986..0d97e10 100644
--- a/drivers/net/tokenring/ibmtr.c
+++ b/drivers/net/tokenring/ibmtr.c

@@ -1826,7 +1826,7 @@
 	skb->protocol = tr_type_trans(skb, dev);
 	if (IPv4_p) {
 		skb->csum = chksum;
-		skb->ip_summed = 1;
+		skb->ip_summed = CHECKSUM_COMPLETE;
 	}
 	netif_rx(skb);
 	dev->last_rx = jiffies;
commit	ee28b0da1069ced1688aa9d0b7b378353b988321	[log] [tgz]
author	Al Viro <viro@hera.kernel.org>	Mon Dec 04 22:05:09 2006 +0000
committer	Linus Torvalds <torvalds@woody.osdl.org>	Mon Dec 04 19:32:44 2006 -0800
tree	571ce21b27d55c155fbc3e4b981cfc3233939a09
parent	87fcd70d983d30eca4b933fff2e97d9a31743d0a [diff]