lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Apr 2015 11:31:59 -0700 From: Martin KaFai Lau <kafai@...com> To: Steffen Klassert <steffen.klassert@...unet.com> CC: netdev <netdev@...r.kernel.org>, Hannes Frederic Sowa <hannes@...essinduktion.org>, David Miller <davem@...emloft.net>, Kernel Team <Kernel-team@...com> Subject: Re: [PATCH net-next 4/6] ipv6: Only create RTF_CACHE routes after encountering pmtu exception On Wed, Apr 29, 2015 at 01:39:18PM +0200, Steffen Klassert wrote: > On Tue, Apr 28, 2015 at 02:07:51PM -0700, Martin KaFai Lau wrote: > > + if (ip6_ins_rt(nrt6)) { > > + dst_destroy(&nrt6->dst); > > fib6_add() does a dst_free() on error, so calling dst_destroy() > here might result in a use after free. Good catch. > > > > + return; > > + } > > + > > + rt6 = nrt6; > > + dst = &nrt6->dst; > > } > > + > > + net = dev_net(dst->dev); > > + rt6->rt6i_flags |= RTF_MODIFIED; > > + rt6->rt6i_pmtu = mtu; > > + rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires); > > The update of expires and the setting of rt6i_pmtu should > happen before the route is inserted with ip6_ins_rt(). > > This is because fib6_add_rt2node() tries to reuse old > expired routes if still in the fib tree, the necessary > informations are copied from the new route before it > returnes -EEXIST on the new route. If your new route > has no expires value set, fib6_add_rt2node() cleans > expires of the old route before it resues it. > > Also rt6i_pmtu should be copied to the reused route in > fib6_add_rt2node(), this should be done already in your > first patchset. Otherwise we might use stale pmtu informations. Good catch. A similar race may also happen in the current ip6_pol_route() where it may clear the RTF_EXPIRES of the existing pmtu clone. Hence, copying rt6i_pmtu (at fib6_add_rt2node()) in the last patchset will not be right. I will do the copying and early-set-expire in this patchset instead. Thanks, ---Martin -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists