Patchwork netfilter: Fix potential use after free in ip6_route_me_harder()

login
register
mail settings
Submitter Sergey Popovich
Date May 8, 2014, 1:22 p.m.
Message ID <1399555355-7677-1-git-send-email-popovich_sergei@mail.ru>
Download mbox | patch
Permalink /patch/347049/
State Accepted
Headers show

Comments

Sergey Popovich - May 8, 2014, 1:22 p.m.
Dst is released one line before we access it again with dst->error.

Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
---
 net/ipv6/netfilter.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
Pablo Neira - May 9, 2014, 10:44 a.m.
On Thu, May 08, 2014 at 04:22:35PM +0300, Sergey Popovich wrote:
> Dst is released one line before we access it again with dst->error.
> 
> Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
> ip6_route_me_harder()

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 95f3f1d..d38e6a8 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -30,13 +30,15 @@  int ip6_route_me_harder(struct sk_buff *skb)
 		.daddr = iph->daddr,
 		.saddr = iph->saddr,
 	};
+	int err;
 
 	dst = ip6_route_output(net, skb->sk, &fl6);
-	if (dst->error) {
+	err = dst->error;
+	if (err) {
 		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
 		LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
 		dst_release(dst);
-		return dst->error;
+		return err;
 	}
 
 	/* Drop old route. */