Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  icmp: fix NULL pointer dereference in icmp_tag_validation()  icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]  RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)  Call Trace:   <IRQ>   icmp_rcv (net/ipv4/icmp.c:1527)   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)   ip_local_deliver_finish (net/ipv4/ip_input.c:242)   ip_local_deliver (net/ipv4/ip_input.c:262)   ip_rcv (net/ipv4/ip_input.c:573)   __netif_receive_skb_one_core (net/core/dev.c:6164)   process_backlog (net/core/dev.c:6628)   handle_softirqs (kernel/softirq.c:561)   </IRQ>  Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.