releases/4.4.162/ipv4-fix-use-after-free-in-ip_cmsg_recv_dstaddr.patch

   1 From foo@baz Tue Oct 16 16:47:53 CEST 2018
   2 From: Eric Dumazet <edumazet@google.com>
   3 Date: Sun, 30 Sep 2018 11:33:39 -0700
   4 Subject: ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
   5
   6 From: Eric Dumazet <edumazet@google.com>
   7
   8 [ Upstream commit 64199fc0a46ba211362472f7f942f900af9492fd ]
   9
  10 Caching ip_hdr(skb) before a call to pskb_may_pull() is buggy,
  11 do not do it.
  12
  13 Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
  14 Signed-off-by: Eric Dumazet <edumazet@google.com>
  15 Cc: Willem de Bruijn <willemb@google.com>
  16 Reported-by: syzbot <syzkaller@googlegroups.com>
  17 Acked-by: Willem de Bruijn <willemb@google.com>
  18 Signed-off-by: David S. Miller <davem@davemloft.net>
  19 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20 ---
  21  net/ipv4/ip_sockglue.c |    3 +--
  22  1 file changed, 1 insertion(+), 2 deletions(-)
  23
  24 --- a/net/ipv4/ip_sockglue.c
  25 +++ b/net/ipv4/ip_sockglue.c
  26 @@ -134,7 +134,6 @@ static void ip_cmsg_recv_security(struct
  27  static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
  28  {
  29         struct sockaddr_in sin;
  30 -       const struct iphdr *iph = ip_hdr(skb);
  31         __be16 *ports;
  32         int end;
  33
  34 @@ -149,7 +148,7 @@ static void ip_cmsg_recv_dstaddr(struct
  35         ports = (__be16 *)skb_transport_header(skb);
  36
  37         sin.sin_family = AF_INET;
  38 -       sin.sin_addr.s_addr = iph->daddr;
  39 +       sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
  40         sin.sin_port = ports[1];
  41         memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
  42