Message ID | 20181221154751.199504-1-edumazet@google.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Series | [net] ipv6: tunnels: fix two use-after-free | expand |
From: Eric Dumazet <edumazet@google.com> Date: Fri, 21 Dec 2018 07:47:51 -0800 > xfrm6_policy_check() might have re-allocated skb->head, we need > to reload ipv6 header pointer. > > sysbot reported : ... > Fixes: 0d3c703a9d17 ("ipv6: Cleanup IPv6 tunnel receive path") > Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Cc: Steffen Klassert <steffen.klassert@secunet.com> Applied and queued up for -stable, thanks Eric.
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index a9d06d4dd05784b9f3d6e492ac3f395ed6a234d6..99179b9c83840bb730a27e7391c9e7f67d043cf1 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -901,6 +901,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto, goto drop; if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) goto drop; + ipv6h = ipv6_hdr(skb); if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) goto drop; if (iptunnel_pull_header(skb, 0, tpi->proto, false)) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index eeaf7455d51e52f12b62ffd0c1c82e2ee09e4fc1..706fe42e4928990c84ba157496628d14803f7199 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb) return 0; } + ipv6h = ipv6_hdr(skb); if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) { t->dev->stats.rx_dropped++; rcu_read_unlock();