diff mbox

[Trusty] ipv6/dccp: do not inherit ipv6_mc_list from parent

Message ID 1496831308-14531-3-git-send-email-stefan.bader@canonical.com
State New
Headers show

Commit Message

Stefan Bader June 7, 2017, 10:28 a.m. UTC 
From: WANG Cong <xiyou.wangcong@gmail.com>

Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-9076

(backported from 83eaddab4378db256d00d295bda6ca997cd13a52)
[manual placement of hunk#2 net/dccp/ipv6.c]
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/dccp/ipv6.c     | 7 +++++++
 net/ipv6/tcp_ipv6.c | 2 ++
 2 files changed, 9 insertions(+)

Comments

Colin Ian King June 7, 2017, 10:31 a.m. UTC | #1 
On 07/06/17 11:28, Stefan Bader wrote:
> From: WANG Cong <xiyou.wangcong@gmail.com>
> 
> Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
> we should clear ipv6_mc_list etc. for IPv6 sockets too.
> 
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Acked-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2017-9076
> 
> (backported from 83eaddab4378db256d00d295bda6ca997cd13a52)
> [manual placement of hunk#2 net/dccp/ipv6.c]
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/dccp/ipv6.c     | 7 +++++++
>  net/ipv6/tcp_ipv6.c | 2 ++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index cf5bdc0..9dacede 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -482,6 +482,9 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
>  		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
>  		newnp->pktoptions  = NULL;
>  		newnp->opt	   = NULL;
> +		newnp->ipv6_mc_list = NULL;
> +		newnp->ipv6_ac_list = NULL;
> +		newnp->ipv6_fl_list = NULL;
>  		newnp->mcast_oif   = inet6_iif(skb);
>  		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
>  
> @@ -557,6 +560,10 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
>  	/* Clone RX bits */
>  	newnp->rxopt.all = np->rxopt.all;
>  
> +	newnp->ipv6_mc_list = NULL;
> +	newnp->ipv6_ac_list = NULL;
> +	newnp->ipv6_fl_list = NULL;
> +
>  	/* Clone pktoptions received with SYN */
>  	newnp->pktoptions = NULL;
>  	if (ireq->pktopts != NULL) {
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 69ee798..71d86e7 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1131,6 +1131,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
>  #endif
>  
> +		newnp->ipv6_mc_list = NULL;
>  		newnp->ipv6_ac_list = NULL;
>  		newnp->ipv6_fl_list = NULL;
>  		newnp->pktoptions  = NULL;
> @@ -1198,6 +1199,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  	   First: no IPv4 options.
>  	 */
>  	newinet->inet_opt = NULL;
> +	newnp->ipv6_mc_list = NULL;
>  	newnp->ipv6_ac_list = NULL;
>  	newnp->ipv6_fl_list = NULL;
>  
> 
Looks good to me. Thanks Stefan.

Acked-by: Colin Ian King <colin.king@canonical.com>
Andy Whitcroft June 7, 2017, 12:02 p.m. UTC | #2 
On Wed, Jun 07, 2017 at 12:28:28PM +0200, Stefan Bader wrote:
> From: WANG Cong <xiyou.wangcong@gmail.com>
> 
> Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
> we should clear ipv6_mc_list etc. for IPv6 sockets too.
> 
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Acked-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2017-9076
> 
> (backported from 83eaddab4378db256d00d295bda6ca997cd13a52)
> [manual placement of hunk#2 net/dccp/ipv6.c]
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/dccp/ipv6.c     | 7 +++++++
>  net/ipv6/tcp_ipv6.c | 2 ++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index cf5bdc0..9dacede 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -482,6 +482,9 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
>  		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
>  		newnp->pktoptions  = NULL;
>  		newnp->opt	   = NULL;
> +		newnp->ipv6_mc_list = NULL;
> +		newnp->ipv6_ac_list = NULL;
> +		newnp->ipv6_fl_list = NULL;
>  		newnp->mcast_oif   = inet6_iif(skb);
>  		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
>  
> @@ -557,6 +560,10 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
>  	/* Clone RX bits */
>  	newnp->rxopt.all = np->rxopt.all;
>  
> +	newnp->ipv6_mc_list = NULL;
> +	newnp->ipv6_ac_list = NULL;
> +	newnp->ipv6_fl_list = NULL;
> +
>  	/* Clone pktoptions received with SYN */
>  	newnp->pktoptions = NULL;
>  	if (ireq->pktopts != NULL) {
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 69ee798..71d86e7 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1131,6 +1131,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
>  #endif
>  
> +		newnp->ipv6_mc_list = NULL;
>  		newnp->ipv6_ac_list = NULL;
>  		newnp->ipv6_fl_list = NULL;
>  		newnp->pktoptions  = NULL;
> @@ -1198,6 +1199,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  	   First: no IPv4 options.
>  	 */
>  	newinet->inet_opt = NULL;
> +	newnp->ipv6_mc_list = NULL;
>  	newnp->ipv6_ac_list = NULL;
>  	newnp->ipv6_fl_list = NULL;
>  

Looks to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Thadeu Lima de Souza Cascardo June 7, 2017, 1:11 p.m. UTC | #3 
Applied to trusty master-next branch.

Thakns.
Cascardo.
diff mbox

Patch

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index cf5bdc0..9dacede 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -482,6 +482,9 @@  static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
 		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
 		newnp->pktoptions  = NULL;
 		newnp->opt	   = NULL;
+		newnp->ipv6_mc_list = NULL;
+		newnp->ipv6_ac_list = NULL;
+		newnp->ipv6_fl_list = NULL;
 		newnp->mcast_oif   = inet6_iif(skb);
 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
 
@@ -557,6 +560,10 @@  static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
 	/* Clone RX bits */
 	newnp->rxopt.all = np->rxopt.all;
 
+	newnp->ipv6_mc_list = NULL;
+	newnp->ipv6_ac_list = NULL;
+	newnp->ipv6_fl_list = NULL;
+
 	/* Clone pktoptions received with SYN */
 	newnp->pktoptions = NULL;
 	if (ireq->pktopts != NULL) {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 69ee798..71d86e7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1131,6 +1131,7 @@  static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
 #endif
 
+		newnp->ipv6_mc_list = NULL;
 		newnp->ipv6_ac_list = NULL;
 		newnp->ipv6_fl_list = NULL;
 		newnp->pktoptions  = NULL;
@@ -1198,6 +1199,7 @@  static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 	   First: no IPv4 options.
 	 */
 	newinet->inet_opt = NULL;
+	newnp->ipv6_mc_list = NULL;
 	newnp->ipv6_ac_list = NULL;
 	newnp->ipv6_fl_list = NULL;