| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181016081120.umbe3kz2vi4jfgks@breakpoint.cc>
Date: Tue, 16 Oct 2018 10:11:20 +0200
From: Florian Westphal <fw@...len.de>
To: Maciej Żenczykowski <zenczykowski@...il.com>
Cc: Lorenzo Colitti <lorenzo@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Florian Westphal <fw@...len.de>,
Linux NetDev <netdev@...r.kernel.org>,
Maciej Zenczykowski <maze@...gle.com>
Subject: Re: crash in xt_policy due to skb_dst_drop() in nf_ct_frag6_gather()
Maciej Żenczykowski <zenczykowski@...il.com> wrote:
I am currently travelling and not able to investigate
until next week.
> commit ad8b1ffc3efae2f65080bdb11145c87d299b8f9a
> Author: Florian Westphal <fw@...len.de>
> netfilter: ipv6: nf_defrag: drop skb dst before queueing
>
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -618,6 +618,8 @@ int nf_ct_frag6_gather(struct net *net, struct
> sk_buff *skb, u32 user)
> fq->q.meat == fq->q.len &&
> nf_ct_frag6_reasm(fq, skb, dev))
> ret = 0;
> + else
> + skb_dst_drop(skb);
This is only supposed to drop dst of skbs that are enqueued,
i.e. frag6_gather returns NF_STOLEN.
In case skb completes the queue, then that skbs dst_entry
is supposed to be kept, so skb_dst() does NOT return NULL.
Its not supposed to be any different than ipv4 defrag.
> const struct dst_entry *dst = skb_dst(skb); // returns NULL
That is not supposed to happen.
Powered by blists - more mailing lists