diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2018-09-11 04:31:15 -0400 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2018-09-11 05:28:25 -0400 |
| commit | 9e1437937807b0122e8da1ca8765be2adca9aee6 (patch) | |
| tree | 9da838ab391fbc47b379d00dab98aefe0888639e /net/xfrm/xfrm_output.c | |
| parent | 782710e333a526780d65918d669cb96646983ba2 (diff) | |
xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code don't expect this to happen, so we crash with
a NULL pointer dereference in this case. Fix it by checking
skb_dst(skb) for NULL after skb_dst_force() and drop the packet
in cast the dst_entry was cleared.
Fixes: 222d7dbd258d ("net: prevent dst uses after free")
Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
Reported-by: Wolfgang Walter <linux@stwm.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm/xfrm_output.c')
| -rw-r--r-- | net/xfrm/xfrm_output.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 89b178a78dc7..36d15a38ce5e 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -101,6 +101,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err) | |||
| 101 | spin_unlock_bh(&x->lock); | 101 | spin_unlock_bh(&x->lock); |
| 102 | 102 | ||
| 103 | skb_dst_force(skb); | 103 | skb_dst_force(skb); |
| 104 | if (!skb_dst(skb)) { | ||
| 105 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); | ||
| 106 | goto error_nolock; | ||
| 107 | } | ||
| 104 | 108 | ||
| 105 | if (xfrm_offload(skb)) { | 109 | if (xfrm_offload(skb)) { |
| 106 | x->type_offload->encap(x, skb); | 110 | x->type_offload->encap(x, skb); |