| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1464059784.5939.41.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Mon, 23 May 2016 20:16:24 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Tom Herbert <tom@...bertland.com>
Cc: davem@...emloft.net, netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [RFC PATCH 3/7] ipv4: Support TOU
On Mon, 2016-05-23 at 15:48 -0700, Tom Herbert wrote:
...
> static int
> ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
> @@ -382,11 +383,36 @@ int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
> struct rtable *rt;
> struct iphdr *iph;
> int res;
> + __be16 dport, sport;
> + u8 protocol = sk->sk_protocol;
>
> /* Skip all of this if the packet is already routed,
> * f.e. by something like SCTP.
> */
> rcu_read_lock();
> +
> + if (inet->tou_encap) {
> + struct ip_tunnel_encap *e = inet->tou_encap;
You seem to rely on RCU, in spirit at least.
But ...
1) You read inet->tou_encap twice, so the second time could read a NULL
and then crash on a NULL dereference.
2) No RCU grace period is respected in tou_encap_setsockopt(), so use
after free is possible.
> + const struct ip_tunnel_encap_ops *ops;
> +
> + /* Transport layer protocol over UDP enapsulation */
> + dport = e->dport;
> + sport = e->sport;
Powered by blists - more mailing lists