From 342ba3d57d1f27c9cde461b27fb40a137ca0e75b Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 21 May 2016 16:46:12 +0200
Subject: [PATCH] tipc: check nl sock before parsing nested attributes
 (CVE-2016-4951)

---
 debian/changelog                              |  7 ++++
 ...ock-before-parsing-nested-attributes.patch | 36 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 44 insertions(+)
 create mode 100644 debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch

diff --git a/debian/changelog b/debian/changelog
index 84cdb0272..5f83fb7ad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+linux (4.5.4-2) UNRELEASED; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * tipc: check nl sock before parsing nested attributes (CVE-2016-4951)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 21 May 2016 16:47:59 +0200
+
 linux (4.5.4-1) unstable; urgency=medium
 
   * New upstream stable update:
diff --git a/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
new file mode 100644
index 000000000..934147dd5
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
@@ -0,0 +1,36 @@
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: tipc: check nl sock before parsing nested attributes
+Origin: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 1262889..3b7a799 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ 		if (err)
+ 			return err;
+ 
++		if (!attrs[TIPC_NLA_SOCK])
++			return -EINVAL;
++
+ 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ 				       attrs[TIPC_NLA_SOCK],
+ 				       tipc_nl_sock_policy);
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index a89d5d3c7..69435f624 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -145,6 +145,7 @@ bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
 bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
 bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
 bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
+bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
 
 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch