diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-08-20 03:26:45 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-08-21 17:51:06 -0400 |
| commit | a9915a1b52df52ad87f3b33422da95cf25372f09 (patch) | |
| tree | f589aadc6e5c0ba2a99d6c09a0a3fded9a80b8fa /net | |
| parent | 1a7b27c97ce675b42eeb7bfaf6e15c34f35c8f95 (diff) | |
ipv4: fix ip header ident selection in __ip_make_skb()
Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().
It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.
This is a bug uncovered by commit 1d861aa4b3fb (inet: Minimize use of
cached route inetpeer.)
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131
Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/ip_output.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 147ccc3e93db..c196d749daf2 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
| @@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk, | |||
| 1338 | iph->ihl = 5; | 1338 | iph->ihl = 5; |
| 1339 | iph->tos = inet->tos; | 1339 | iph->tos = inet->tos; |
| 1340 | iph->frag_off = df; | 1340 | iph->frag_off = df; |
| 1341 | ip_select_ident(iph, &rt->dst, sk); | ||
| 1342 | iph->ttl = ttl; | 1341 | iph->ttl = ttl; |
| 1343 | iph->protocol = sk->sk_protocol; | 1342 | iph->protocol = sk->sk_protocol; |
| 1344 | ip_copy_addrs(iph, fl4); | 1343 | ip_copy_addrs(iph, fl4); |
| 1344 | ip_select_ident(iph, &rt->dst, sk); | ||
| 1345 | 1345 | ||
| 1346 | if (opt) { | 1346 | if (opt) { |
| 1347 | iph->ihl += opt->optlen>>2; | 1347 | iph->ihl += opt->optlen>>2; |