From patchwork Wed Dec 11 16:10:05 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 300215
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 07DE72C0092
	for <patchwork-incoming@ozlabs.org>;
	Thu, 12 Dec 2013 03:10:13 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751554Ab3LKQKK (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 11 Dec 2013 11:10:10 -0500
Received: from mail-pd0-f172.google.com ([209.85.192.172]:61275 "EHLO
	mail-pd0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750945Ab3LKQKH (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 11 Dec 2013 11:10:07 -0500
Received: by mail-pd0-f172.google.com with SMTP id g10so9757494pdj.31
	for <netdev@vger.kernel.org>; Wed, 11 Dec 2013 08:10:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=message-id:subject:from:to:cc:date:in-reply-to:references
	:content-type:content-transfer-encoding:mime-version;
	bh=UBXtQyDztmn33SPRJD2fKlc9Zi8qSAWGCD6pIWIEoVY=;
	b=wnIhaMfU6CrQCGsh+QYQwInTvC4TV5VC6+RSuKFnBRiuooQwd31GzFpUumERGZdEFr
	MvD9DqtLgKkJQ09Zl7gyuOOi6F6N4YcNjhG93LdVKTioCMK+EvwZ6TSQkahbyyK7Q1V3
	003IU/xvmgbuUViGmCOw//1TyMOGL/rQynUXd3/Cq4f9raecLABA56Mqv5FIaBf0WPPZ
	RHN2UtzEmq7PhMjaLLJAj8qA0nH6212X5IOe50fPqNadV1rarFwZQo/yIxwSJUKGm9P5
	oa3oZZQA14SqcrJYBG31FwjpmLrIC6ObDiV5vaosVwj25Xc6kwt5vJ1gmfkzJRDdNgfO
	68lA==
X-Received: by 10.68.66.103 with SMTP id e7mr2650023pbt.120.1386778207223;
	Wed, 11 Dec 2013 08:10:07 -0800 (PST)
Received: from [172.29.166.119] ([172.29.166.119])
	by mx.google.com with ESMTPSA id
	jn12sm33602952pbd.37.2013.12.11.08.10.06 for <multiple recipients>
	(version=SSLv3 cipher=RC4-SHA bits=128/128);
	Wed, 11 Dec 2013 08:10:06 -0800 (PST)
Message-ID: 
 <1386778205.30495.374.camel@edumazet-glaptop2.roam.corp.google.com>
Subject: [PATCH] udp: ipv4: fix potential use after free in
	udp_v4_early_demux()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>, netdev@vger.kernel.org
Date: Wed, 11 Dec 2013 08:10:05 -0800
In-Reply-To: 
 <1386727643.30495.363.camel@edumazet-glaptop2.roam.corp.google.com>
References: <20131211003948.GA18825@redhat.com>
	<1386723287.30495.352.camel@edumazet-glaptop2.roam.corp.google.com>
	<1386727643.30495.363.camel@edumazet-glaptop2.roam.corp.google.com>
X-Mailer: Evolution 3.2.3-0ubuntu6 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

pskb_may_pull() can reallocate skb->head, we need to move the
initialization of iph and uh pointers after its call.

Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
---
 net/ipv4/udp.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 2e2aecbe22c4..16d246a51a02 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1909,17 +1909,20 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
 
 void udp_v4_early_demux(struct sk_buff *skb)
 {
-	const struct iphdr *iph = ip_hdr(skb);
-	const struct udphdr *uh = udp_hdr(skb);
+	struct net *net = dev_net(skb->dev);
+	const struct iphdr *iph;
+	const struct udphdr *uh;
 	struct sock *sk;
 	struct dst_entry *dst;
-	struct net *net = dev_net(skb->dev);
 	int dif = skb->dev->ifindex;
 
 	/* validate the packet */
 	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))
 		return;
 
+	iph = ip_hdr(skb);
+	uh = udp_hdr(skb);
+
 	if (skb->pkt_type == PACKET_BROADCAST ||
 	    skb->pkt_type == PACKET_MULTICAST)
 		sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,