| Message ID | 1496831308-14531-2-git-send-email-stefan.bader@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 07/06/17 11:28, Stefan Bader wrote: > From: WANG Cong <xiyou.wangcong@gmail.com> > > Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") > we should clear ipv6_mc_list etc. for IPv6 sockets too. > > Cc: Eric Dumazet <edumazet@google.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > Acked-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2017-9076 > > (cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/dccp/ipv6.c | 6 ++++++ > net/ipv6/tcp_ipv6.c | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c > index d9b6a4e..b6bbb71 100644 > --- a/net/dccp/ipv6.c > +++ b/net/dccp/ipv6.c > @@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > newsk->sk_backlog_rcv = dccp_v4_do_rcv; > newnp->pktoptions = NULL; > newnp->opt = NULL; > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->mcast_oif = inet6_iif(skb); > newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; > > @@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > /* Clone RX bits */ > newnp->rxopt.all = np->rxopt.all; > > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > newnp->opt = NULL; > newnp->mcast_oif = inet6_iif(skb); > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c > index aeb9497..df5a9ff 100644 > --- a/net/ipv6/tcp_ipv6.c > +++ b/net/ipv6/tcp_ipv6.c > @@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > newtp->af_specific = &tcp_sock_ipv6_mapped_specific; > #endif > > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > @@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > First: no IPv4 options. > */ > newinet->inet_opt = NULL; > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; > > Looks good to me. Thanks Stefan. Acked-by: Colin Ian King <colin.king@canonical.com>
On 07/06/17 11:28, Stefan Bader wrote: > From: WANG Cong <xiyou.wangcong@gmail.com> > > Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") > we should clear ipv6_mc_list etc. for IPv6 sockets too. > > Cc: Eric Dumazet <edumazet@google.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > Acked-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2017-9076 > > (cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/dccp/ipv6.c | 6 ++++++ > net/ipv6/tcp_ipv6.c | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c > index d9b6a4e..b6bbb71 100644 > --- a/net/dccp/ipv6.c > +++ b/net/dccp/ipv6.c > @@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > newsk->sk_backlog_rcv = dccp_v4_do_rcv; > newnp->pktoptions = NULL; > newnp->opt = NULL; > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->mcast_oif = inet6_iif(skb); > newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; > > @@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > /* Clone RX bits */ > newnp->rxopt.all = np->rxopt.all; > > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > newnp->opt = NULL; > newnp->mcast_oif = inet6_iif(skb); > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c > index aeb9497..df5a9ff 100644 > --- a/net/ipv6/tcp_ipv6.c > +++ b/net/ipv6/tcp_ipv6.c > @@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > newtp->af_specific = &tcp_sock_ipv6_mapped_specific; > #endif > > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > @@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > First: no IPv4 options. > */ > newinet->inet_opt = NULL; > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; > > Looks good to me. Thanks Stefan. Acked-by: Colin Ian King <colin.king@canonical.com>
On Wed, Jun 07, 2017 at 12:28:27PM +0200, Stefan Bader wrote: > From: WANG Cong <xiyou.wangcong@gmail.com> > > Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") > we should clear ipv6_mc_list etc. for IPv6 sockets too. > > Cc: Eric Dumazet <edumazet@google.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > Acked-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2017-9076 > > (cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/dccp/ipv6.c | 6 ++++++ > net/ipv6/tcp_ipv6.c | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c > index d9b6a4e..b6bbb71 100644 > --- a/net/dccp/ipv6.c > +++ b/net/dccp/ipv6.c > @@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > newsk->sk_backlog_rcv = dccp_v4_do_rcv; > newnp->pktoptions = NULL; > newnp->opt = NULL; > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->mcast_oif = inet6_iif(skb); > newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; > > @@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, > /* Clone RX bits */ > newnp->rxopt.all = np->rxopt.all; > > + newnp->ipv6_mc_list = NULL; > + newnp->ipv6_ac_list = NULL; > + newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > newnp->opt = NULL; > newnp->mcast_oif = inet6_iif(skb); > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c > index aeb9497..df5a9ff 100644 > --- a/net/ipv6/tcp_ipv6.c > +++ b/net/ipv6/tcp_ipv6.c > @@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > newtp->af_specific = &tcp_sock_ipv6_mapped_specific; > #endif > > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; > newnp->pktoptions = NULL; > @@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * > First: no IPv4 options. > */ > newinet->inet_opt = NULL; > + newnp->ipv6_mc_list = NULL; > newnp->ipv6_ac_list = NULL; > newnp->ipv6_fl_list = NULL; Looks to do what is claimed, cherry-pick: Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to xenial, yakkety and zesty master-next branches. Thanks. Cascardo.
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index d9b6a4e..b6bbb71 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, newsk->sk_backlog_rcv = dccp_v4_do_rcv; newnp->pktoptions = NULL; newnp->opt = NULL; + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; newnp->mcast_oif = inet6_iif(skb); newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; @@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, /* Clone RX bits */ newnp->rxopt.all = np->rxopt.all; + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; newnp->pktoptions = NULL; newnp->opt = NULL; newnp->mcast_oif = inet6_iif(skb); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index aeb9497..df5a9ff 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * newtp->af_specific = &tcp_sock_ipv6_mapped_specific; #endif + newnp->ipv6_mc_list = NULL; newnp->ipv6_ac_list = NULL; newnp->ipv6_fl_list = NULL; newnp->pktoptions = NULL; @@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * First: no IPv4 options. */ newinet->inet_opt = NULL; + newnp->ipv6_mc_list = NULL; newnp->ipv6_ac_list = NULL; newnp->ipv6_fl_list = NULL;