| Message ID | 1607959129-26808-1-git-send-email-vmayatskikh@digitalocean.com |
|---|---|
| State | Deferred |
| Headers | show |
| Series | [ovs-dev] stt: fix dst_entry use-after-free in rcv_list for GSO skb | expand |
On Mon, Dec 14, 2020 at 10:18:49AM -0500, Vitaly Mayatskikh wrote: > rcv_list assigns next->dst which is later released in skb_scrub_packet > and then assigns the same dst_entry again in ovs_ip_tunnel_rcv, but it > was freed already. > > Signed-off-by: Vitaly Mayatskikh <vmayatskikh@digitalocean.com> Hi Vitaly, This patch appears to have gone stale in patchwork, for one reason or another. If it is still relevant then I think it needs to be revisited, by being reposted after appropriate preparation. As such I'm marking this patch as "Deferred" in patchwork. No action is required unless there is a desire to revisit this patch.
diff --git a/datapath/linux/compat/stt.c b/datapath/linux/compat/stt.c index 39a2947..c2ad3b0 100644 --- a/datapath/linux/compat/stt.c +++ b/datapath/linux/compat/stt.c @@ -1397,10 +1397,8 @@ static void rcv_list(struct net_device *dev, struct sk_buff *skb, do { next = skb->next; skb->next = NULL; - if (next) { + if (next) ovs_dst_hold((struct dst_entry *)tun_dst); - ovs_skb_dst_set(next, (struct dst_entry *)tun_dst); - } ovs_ip_tunnel_rcv(dev, skb, tun_dst); } while ((skb = next)); }
rcv_list assigns next->dst which is later released in skb_scrub_packet and then assigns the same dst_entry again in ovs_ip_tunnel_rcv, but it was freed already. Signed-off-by: Vitaly Mayatskikh <vmayatskikh@digitalocean.com> --- datapath/linux/compat/stt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)