summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-01-09 14:32:41 -0800
committerDavid S. Miller <davem@davemloft.net>2007-01-09 14:32:41 -0800
commitf9f02cca25acf33e5853c6b3cbb0c7146312783f (patch)
tree54bd83070a561f2c479196820e18cd097e9fcc40
parent656829e2d052b1da4a72aa2ac39ad733a78530ce (diff)
downloadlinux-f9f02cca25acf33e5853c6b3cbb0c7146312783f.tar.gz
linux-f9f02cca25acf33e5853c6b3cbb0c7146312783f.tar.bz2
linux-f9f02cca25acf33e5853c6b3cbb0c7146312783f.zip
[NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragments
When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 37e5fca923aa..d9c15402ba66 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
s->nfct_reasm = skb;
s2 = s->next;
+ s->next = NULL;
+
NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
s = s2;