diff options
author | Zhengchao Shao <shaozhengchao@huawei.com> | 2023-07-10 17:40:53 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-08-30 16:31:48 +0200 |
commit | 7dfe23659f3677c08a60a0056cda2d91a79c15ca (patch) | |
tree | 4642591bb0cdcdc32e0bed0e7edd5ab341bd5ce1 /net | |
parent | fa6c6c04f6c9b21b315023f487e5a07ae7fcf647 (diff) | |
download | linux-stable-7dfe23659f3677c08a60a0056cda2d91a79c15ca.tar.gz linux-stable-7dfe23659f3677c08a60a0056cda2d91a79c15ca.tar.bz2 linux-stable-7dfe23659f3677c08a60a0056cda2d91a79c15ca.zip |
ip_vti: fix potential slab-use-after-free in decode_session6
[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ]
When ip_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ip_vti device sends IPv6 packets.
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/ip_vti.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index 15c71b08c2df..a3536dfe9b16 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -319,12 +319,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) switch (skb->protocol) { case htons(ETH_P_IP): - xfrm_decode_session(skb, &fl, AF_INET); memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + xfrm_decode_session(skb, &fl, AF_INET); break; case htons(ETH_P_IPV6): - xfrm_decode_session(skb, &fl, AF_INET6); memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + xfrm_decode_session(skb, &fl, AF_INET6); break; default: goto tx_err; |