summaryrefslogtreecommitdiffstats
path: root/net/caif/cfrfml.c
diff options
context:
space:
mode:
authorhannes@stressinduktion.org <hannes@stressinduktion.org>2015-04-01 17:07:44 +0200
committerDavid S. Miller <davem@davemloft.net>2015-04-06 16:12:49 -0400
commitf60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 (patch)
treebba5ed057073e42c0113473e1cdbff0bc46ab875 /net/caif/cfrfml.c
parent576b7cd2f6ff1e90b3fc0a000d2fe74f8a50a4bb (diff)
downloadlinux-stable-f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90.tar.gz
linux-stable-f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90.tar.bz2
linux-stable-f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90.zip
ipv6: protect skb->sk accesses from recursive dereference inside the stack
We should not consult skb->sk for output decisions in xmit recursion levels > 0 in the stack. Otherwise local socket settings could influence the result of e.g. tunnel encapsulation process. ipv6 does not conform with this in three places: 1) ip6_fragment: we do consult ipv6_npinfo for frag_size 2) sk_mc_loop in ipv6 uses skb->sk and checks if we should loop the packet back to the local socket 3) ip6_skb_dst_mtu could query the settings from the user socket and force a wrong MTU Furthermore: In sk_mc_loop we could potentially land in WARN_ON(1) if we use a PF_PACKET socket ontop of an IPv6-backed vxlan device. Reuse xmit_recursion as we are currently only interested in protecting tunnel devices. Cc: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/caif/cfrfml.c')
0 files changed, 0 insertions, 0 deletions