lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Jun 2017 08:57:56 +0800 From: Haishuang Yan <yanhaishuang@...s.chinamobile.com> To: "=David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Patrick McHardy <kaber@...sh.net> Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Haishuang Yan <yanhaishuang@...s.chinamobile.com>, Alexei Starovoitov <ast@...com> Subject: [PATCH v2 2/2] ip6_tunnel: fix potential issue in __ip6_tnl_rcv When __ip6_tnl_rcv fails, the tun_dst won't be freed, so move skb_dst_set to begin and tun_dst would be freed by kfree_skb. CC: Alexei Starovoitov <ast@...com> Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") Signed-off-by: Haishuang Yan <yanhaishuang@...s.chinamobile.com> --- net/ipv6/ip6_tunnel.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 9b37f97..bf45f1b 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -789,6 +789,9 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, const struct ipv6hdr *ipv6h = ipv6_hdr(skb); int err; + if (tun_dst) + skb_dst_set(skb, (struct dst_entry *)tun_dst); + if ((!(tpi->flags & TUNNEL_CSUM) && (tunnel->parms.i_flags & TUNNEL_CSUM)) || ((tpi->flags & TUNNEL_CSUM) && @@ -852,9 +855,6 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev))); - if (tun_dst) - skb_dst_set(skb, (struct dst_entry *)tun_dst); - gro_cells_receive(&tunnel->gro_cells, skb); return 0; -- 1.8.3.1
Powered by blists - more mailing lists