[IPV4]: icmp: fix crash with sysctl_icmp_errors_use_inbound_ifaddr

When icmp_send is called on the local output path before the
packet hits ip_output, skb->dev is not set, causing a crash
when sysctl_icmp_errors_use_inbound_ifaddr is set. This can
happen with the netfilter REJECT target or IPsec tunnels.

Let routing decide the ICMP source address in that case, since the
packet is locally generated there is no inbound interface and
the sysctl should not apply.

The option actually seems to be unfixable broken, on the path
after ip_output() skb->dev points to the outgoing device and
we don't know the incoming device anymore, so its going to do
the absolute wrong thing and pick the address of the outgoing
interface. Add a comment about this.

Reported by Curtis Doty <Curtis@GreenKey.net>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 4 insertions, 1 deletions

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index d38cbba92a4d..e238b17f554c 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -514,7 +514,10 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
 
         saddr = iph->daddr;
         if (!(rt->rt_flags & RTCF_LOCAL)) {
-                if (sysctl_icmp_errors_use_inbound_ifaddr)
+                /* This is broken, skb_in->dev points to the outgoing device
+                 * after the packet passes through ip_output().
+                 */
+                if (skb_in->dev && sysctl_icmp_errors_use_inbound_ifaddr)
                         saddr = inet_select_addr(skb_in->dev, 0, RT_SCOPE_LINK);
                 else
                         saddr = 0;