git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ralf Lici <ralf@mandelbit.com>
	Fri, 30 Jan 2026 17:32:49 +0000 (18:32 +0100)
committer	Antonio Quartulli <antonio@openvpn.net>
	Thu, 12 Feb 2026 14:28:58 +0000 (15:28 +0100)
commit	a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41
tree	99fabe593d093904da2212246852dc71b5199bed	tree
parent	93686c472eb7b09a51b97a096449e7092fefcd1f	commit \| diff

ovpn: fix possible use-after-free in ovpn_net_xmit

When building the skb_list in ovpn_net_xmit, skb_share_check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb_dst_drop (even though all segments produced by skb_gso_segment
will have a dst attached),
- ovpn_peer_stats_increment_tx.

Fix this by moving the peer lookup and skb_dst_drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb_share_check and the list ends up empty.
Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next
patch fixes the stats logic.

Fixes: 08857b5ec5d9 ("ovpn: implement basic TX path (UDP)")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>