CVE-2005-1041

A local user triggers the bug by reading `/proc/net/route`. The `fib_seq_start` function, when invoked with a non-zero position, called `fib_get_next` without first obtaining a fresh starting alias via `fib_get_first`. This could cause the iterator to follow stale or invalid pointers, resulting in a kernel crash (denial of service). No authentication beyond local shell access is required.

The vulnerability is in `fib_seq_start` in `net/ipv4/fib_hash.c`. The function directly called `fib_get_next` when `*pos` was non-zero, without first calling `fib_get_first` to obtain a valid starting pointer, leading to use of stale pointers.

The patch introduces a new helper `fib_get_idx` that first calls `fib_get_first` to obtain a valid starting `fib_alias`, then advances through `fib_get_next` the requested number of steps. `fib_seq_start` now calls `fib_get_idx(seq, *pos - 1)` instead of directly calling `fib_get_next`. This ensures the iterator always begins from a fresh, valid alias, preventing the use of stale pointers that caused the crash.