diff options
| author | Haishuang Yan <yanhaishuang@cmss.chinamobile.com> | 2019-07-25 12:40:17 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-07-26 17:17:44 -0400 |
| commit | 01f5bffad555f8e22a61f4b1261fe09cf1b96994 (patch) | |
| tree | a5131a096a2872bac0fcd888ebfd6c46ee174ed8 | |
| parent | c5d139697d5d9ecf9c7cd92d7d7838a173508900 (diff) | |
ip6_tunnel: fix possible use-after-free on xmit
ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
can cause a possible use-after-free accessing iph/ipv6h pointer
since the packet will be 'uncloned' running pskb_expand_head if
it is a cloned gso skb.
Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv6/ip6_tunnel.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 3134fbb65d7f..754a484d35df 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c | |||
| @@ -1278,12 +1278,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1278 | } | 1278 | } |
| 1279 | 1279 | ||
| 1280 | fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); | 1280 | fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); |
| 1281 | dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); | ||
| 1281 | 1282 | ||
| 1282 | if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) | 1283 | if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) |
| 1283 | return -1; | 1284 | return -1; |
| 1284 | 1285 | ||
| 1285 | dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); | ||
| 1286 | |||
| 1287 | skb_set_inner_ipproto(skb, IPPROTO_IPIP); | 1286 | skb_set_inner_ipproto(skb, IPPROTO_IPIP); |
| 1288 | 1287 | ||
| 1289 | err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, | 1288 | err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, |
| @@ -1367,12 +1366,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1367 | } | 1366 | } |
| 1368 | 1367 | ||
| 1369 | fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); | 1368 | fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); |
| 1369 | dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); | ||
| 1370 | 1370 | ||
| 1371 | if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) | 1371 | if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) |
| 1372 | return -1; | 1372 | return -1; |
| 1373 | 1373 | ||
| 1374 | dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); | ||
| 1375 | |||
| 1376 | skb_set_inner_ipproto(skb, IPPROTO_IPV6); | 1374 | skb_set_inner_ipproto(skb, IPPROTO_IPV6); |
| 1377 | 1375 | ||
| 1378 | err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, | 1376 | err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, |