]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blame - releases/4.19.35/ipv6-fix-dangling-pointer-when-ipv6-fragment.patch
projects / thirdparty / kernel / stable-queue.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Linux 4.19.35
[thirdparty/kernel/stable-queue.git] / releases / 4.19.35 / ipv6-fix-dangling-pointer-when-ipv6-fragment.patch
CommitLineData
a9fba688
SL		 1From d70f0c5c48ecf74f6d6a5ef0b786419999d46723 Mon Sep 17 00:00:00 2001
2From: Junwei Hu <hujunwei4@huawei.com>
3Date: Tue, 2 Apr 2019 19:38:04 +0800
4Subject: ipv6: Fix dangling pointer when ipv6 fragment
5
6[ Upstream commit ef0efcd3bd3fd0589732b67fb586ffd3c8705806 ]
7
8At the beginning of ip6_fragment func, the prevhdr pointer is
9obtained in the ip6_find_1stfragopt func.
10However, all the pointers pointing into skb header may change
11when calling skb_checksum_help func with
12skb->ip_summed = CHECKSUM_PARTIAL condition.
13The prevhdr pointe will be dangling if it is not reloaded after
14calling __skb_linearize func in skb_checksum_help func.
15
16Here, I add a variable, nexthdr_offset, to evaluate the offset,
17which does not changes even after calling __skb_linearize func.
18
19Fixes: 405c92f7a541 ("ipv6: add defensive check for CHECKSUM_PARTIAL skbs in ip_fragment")
20Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
21Reported-by: Wenhao Zhang <zhangwenhao8@huawei.com>
22Reported-by: syzbot+e8ce541d095e486074fc@syzkaller.appspotmail.com
23Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
24Acked-by: Martin KaFai Lau <kafai@fb.com>
25Signed-off-by: David S. Miller <davem@davemloft.net>
26Signed-off-by: Sasha Levin <sashal@kernel.org>
27---
28 net/ipv6/ip6_output.c | 4 +++-
29 1 file changed, 3 insertions(+), 1 deletion(-)
30
31diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
32index 0bb87f3a10c7..eed9231c90ad 100644
33--- a/net/ipv6/ip6_output.c
34+++ b/net/ipv6/ip6_output.c
35@@ -587,7 +587,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
36 inet6_sk(skb->sk) : NULL;
37 struct ipv6hdr *tmp_hdr;
38 struct frag_hdr *fh;
39- unsigned int mtu, hlen, left, len;
40+ unsigned int mtu, hlen, left, len, nexthdr_offset;
41 int hroom, troom;
42 __be32 frag_id;
43 int ptr, offset = 0, err = 0;
44@@ -598,6 +598,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
45 goto fail;
46 hlen = err;
47 nexthdr = *prevhdr;
48+ nexthdr_offset = prevhdr - skb_network_header(skb);
49
50 mtu = ip6_skb_dst_mtu(skb);
51
52@@ -632,6 +633,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
53 (err = skb_checksum_help(skb)))
54 goto fail;
55
56+ prevhdr = skb_network_header(skb) + nexthdr_offset;
57 hroom = LL_RESERVED_SPACE(rt->dst.dev);
58 if (skb_has_frag_list(skb)) {
59 unsigned int first_len = skb_pagelen(skb);
60--
612.19.1
62
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git