[NETFILTER]: ipt_REJECT: fix memory corruption

On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder() reallocates the skb, leading to memory corruption when using the stale tcph pointer to update the checksum. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-11-28 23:10:21 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-11-28 23:59:38 -0500
commit: af443b6d90de17f7630621269cf0610d9d772670 (patch)
tree: bd329577450b1d152813117d47796c65a45b39d4
parent: 2e47c264a2e6ea24c27b4987607222202818c1f4 (diff)
1 files changed, 9 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index ad0312d0e4fd..264763adc39b 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        tcph->window = 0;
        tcph->urg_ptr = 0;
+        /* Adjust TCP checksum */
+        tcph->check = 0;
+        tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
+                                   nskb->nh.iph->saddr,
+                                   nskb->nh.iph->daddr,
+                                   csum_partial((char *)tcph,
+                                                sizeof(struct tcphdr), 0));
        /* Set DF, id = 0 */
        nskb->nh.iph->frag_off = htons(IP_DF);
        nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        if (ip_route_me_harder(&nskb, addr_type))
                goto free_nskb;
-        /* Adjust TCP checksum */
        nskb->ip_summed = CHECKSUM_NONE;
-        tcph->check = 0;
-        tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-                                   nskb->nh.iph->saddr,
-                                   nskb->nh.iph->daddr,
-                                   csum_partial((char *)tcph,
-                                                sizeof(struct tcphdr), 0));
        /* Adjust IP TTL */
        nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
author	Patrick McHardy <kaber@trash.net>	2006-11-28 23:10:21 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-11-28 23:59:38 -0500
commit	af443b6d90de17f7630621269cf0610d9d772670 (patch)
tree	bd329577450b1d152813117d47796c65a45b39d4
parent	2e47c264a2e6ea24c27b4987607222202818c1f4 (diff)

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index ad0312d0e4fd..264763adc39b 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *oldskb, int hook)
114	tcph->window = 0;	114	tcph->window = 0;
115	tcph->urg_ptr = 0;	115	tcph->urg_ptr = 0;
116		116
		117	/* Adjust TCP checksum */
		118	tcph->check = 0;
		119	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
		120	nskb->nh.iph->saddr,
		121	nskb->nh.iph->daddr,
		122	csum_partial((char *)tcph,
		123	sizeof(struct tcphdr), 0));
		124
117	/* Set DF, id = 0 */	125	/* Set DF, id = 0 */
118	nskb->nh.iph->frag_off = htons(IP_DF);	126	nskb->nh.iph->frag_off = htons(IP_DF);
119	nskb->nh.iph->id = 0;	127	nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ static void send_reset(struct sk_buff *oldskb, int hook)
129	if (ip_route_me_harder(&nskb, addr_type))	137	if (ip_route_me_harder(&nskb, addr_type))
130	goto free_nskb;	138	goto free_nskb;
131		139
132	/* Adjust TCP checksum */
133	nskb->ip_summed = CHECKSUM_NONE;	140	nskb->ip_summed = CHECKSUM_NONE;
134	tcph->check = 0;	141
135	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
136	nskb->nh.iph->saddr,
137	nskb->nh.iph->daddr,
138	csum_partial((char *)tcph,
139	sizeof(struct tcphdr), 0));
140	/* Adjust IP TTL */	142	/* Adjust IP TTL */
141	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);	143	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
142		144