Commit:     f9f02cca25acf33e5853c6b3cbb0c7146312783f
Parent:     656829e2d052b1da4a72aa2ac39ad733a78530ce
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Tue Jan 9 14:32:41 2007 -0800
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Tue Jan 9 14:32:41 2007 -0800

    [NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragments
    When IPv6 connection tracking splits up a defragmented packet into
    its original fragments, the packets are taken from a list and are
    passed to the network stack with skb->next still set. This causes
    dev_hard_start_xmit to treat them as GSO fragments, resulting in
    a use after free when connection tracking handles the next fragment.
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c 
index 37e5fca..d9c1540 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hooknum, struct 
sk_buff *skb,
                s->nfct_reasm = skb;
                s2 = s->next;
+               s->next = NULL;
                NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
                               NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
                s = s2;
