[thirdparty/kernel/stable-queue.git] / releases / 4.15.10 / netfilter-ipv6-fix-use-after-free-write-in-nf_nat_ipv6_manip_pkt.patch

From b078556aecd791b0e5cb3a59f4c3a14273b52121 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 19 Feb 2018 08:10:17 +0100
Subject: netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt

From: Florian Westphal <fw@strlen.de>

commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.

l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.

Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
 	    !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
 				target, maniptype))
 		return false;
+
+	/* must reload, offset might have changed */
+	ipv6h = (void *)skb->data + iphdroff;
+
 manip_addr:
 	if (maniptype == NF_NAT_MANIP_SRC)
 		ipv6h->saddr = target->src.u3.in6;
Commit	Line	Data
d3c2d836 GKH	1	From b078556aecd791b0e5cb3a59f4c3a14273b52121 Mon Sep 17 00:00:00 2001
	2	From: Florian Westphal <fw@strlen.de>
	3	Date: Mon, 19 Feb 2018 08:10:17 +0100
	4	Subject: netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
	5
	6	From: Florian Westphal <fw@strlen.de>
	7
	8	commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.
	9
	10	l4proto->manip_pkt() can cause reallocation of skb head so pointer
	11	to the ipv6 header must be reloaded.
	12
	13	Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
	14	Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
	15	Signed-off-by: Florian Westphal <fw@strlen.de>
	16	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	18
	19	---
	20	net/ipv6/netfilter/nf_nat_l3proto_ipv6.c \| 4 ++++
	21	1 file changed, 4 insertions(+)
	22
	23	--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
	24	+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
	25	@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
	26	!l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
	27	target, maniptype))
	28	return false;
	29	+
	30	+ /* must reload, offset might have changed */
	31	+ ipv6h = (void *)skb->data + iphdroff;
	32	+
	33	manip_addr:
	34	if (maniptype == NF_NAT_MANIP_SRC)
	35	ipv6h->saddr = target->src.u3.in6;