lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Nov 2023 10:56:26 +0800 From: Hangbin Liu <liuhangbin@...il.com> To: Zhengchao Shao <shaozhengchao@...wei.com> Cc: netdev@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, weiyongjun1@...wei.com, yuehaibing@...wei.com Subject: Re: [PATCH net] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Hi Zhengchao, On Tue, Nov 21, 2023 at 10:05:58AM +0800, Zhengchao Shao wrote: > --- > net/ipv4/igmp.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c > index 76c3ea75b8dd..f217581904d6 100644 > --- a/net/ipv4/igmp.c > +++ b/net/ipv4/igmp.c > @@ -1044,6 +1044,8 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, > for_each_pmc_rcu(in_dev, im) { > int changed; > > + if (!netif_running(im->interface->dev)) > + continue; I haven't checked this part for a long time. What's the difference of in_dev->dev and im->interface->dev? I though they are the same, no? If they are the same, should we stop processing the query earlier? e.g. diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 76c3ea75b8dd..f4e1d229c9aa 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -1082,6 +1082,9 @@ int igmp_rcv(struct sk_buff *skb) goto drop; } + if (!netif_running(dev)) + goto drop; + in_dev = __in_dev_get_rcu(dev); if (!in_dev) goto drop; BTW, does IPv6 MLD has this issue? Thanks Hangbin
Powered by blists - more mailing lists