From patchwork Sat Feb 4 19:16:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 724136 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vG3Q36nX7z9s1y for ; Sun, 5 Feb 2017 06:16:59 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MGATZ/ST"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751201AbdBDTQ4 (ORCPT ); Sat, 4 Feb 2017 14:16:56 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:34415 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751142AbdBDTQz (ORCPT ); Sat, 4 Feb 2017 14:16:55 -0500 Received: by mail-it0-f68.google.com with SMTP id o185so4589120itb.1 for ; Sat, 04 Feb 2017 11:16:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=nOI+wHJG89tKTIsYwGXQY3VLkIzUzJccgR1xbGlVCWo=; b=MGATZ/ST972aZMTiJR5Dg4z0BzuqGQ9dHCVgehZGCrKv7i4E1K/0L9m8Wsdla++E/O FoJFAodjTmZkBVtMH/79wrWVVEh59lzOY/iyN9frTzAMTgsUIKtVBaMylQ54B23RQdtx godf4NAWngzEB6hIai+9vBZrSsbeFTcb4YwPa5p66Bvbrr6+ygUB27GcYWLHGt7W8NrI +BhsC4PGdqOBKteUQd6EnxBk7QH9UEQPY/58uVU9Q5hg5qOAgmLK43Mkq0bml/+w+3+q ueGZW2tbe3ujltdBMee3X34QO4ECis+XHzLm1KyD6JkT15/H9J/qbSd7QjBFDnlxnMPH J4+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=nOI+wHJG89tKTIsYwGXQY3VLkIzUzJccgR1xbGlVCWo=; b=dcn762gnIzFul75Pl2F3ddmfbkBEbV3ndA+iw6DFV36mcWnVysGi0Q63nbQH0mMgP0 kQM0rhX1sP4V0NsmbHEcAbn6dT2lTTE4RbKH944YdaU5ddvHgb38LQ5bEZHcaQ5IE+BX di8tyMpp/LnZhYygJg/+HrE1yFqZCl3d4JOlJkYAxkP8t+wH+tXMnSbYb9mshu5Wqylk 8y/JCeXoHoVVoSA+oH7m/SmEJ+UWdYLTEJT65Jzeb4fLgJsIOIw6r6t1/orHWehHzjxc PIz1jqJM7WKWQKipKgMCCJjKqSmZaV4XN8xnxg/ksGJmOn6HuHfWAJzh3mZ35ir+FuTc zaZQ== X-Gm-Message-State: AIkVDXKJbLlMldPa6e1xrfYpnQk0hl6WqKR2ljXnDbbb6CkfZWSWC2QYip4j/LwrEOlN2A== X-Received: by 10.36.252.197 with SMTP id b188mr2054352ith.53.1486235814948; Sat, 04 Feb 2017 11:16:54 -0800 (PST) Received: from [172.16.48.8] ([172.16.48.8]) by smtp.googlemail.com with ESMTPSA id v197sm1512034ita.2.2017.02.04.11.16.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 04 Feb 2017 11:16:54 -0800 (PST) Message-ID: <1486235812.21871.145.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATH net] ipv4: keep skb->dst around in presence of IP options From: Eric Dumazet To: David Miller Cc: netdev , Andrey Konovalov , Dmitry Vyukov Date: Sat, 04 Feb 2017 11:16:52 -0800 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst is accessed. ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options are present. We could refine the test to the presence of ts_needtime or srr, but IP options are not often used, so let's be conservative. Thanks to syzkaller team for finding this bug. Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov --- net/ipv4/ip_sockglue.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 8a4409dd390aac7fcb88383af1550a2f967d..c4fcf9d713cca64a3afaec1628692739d9fa 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -1243,7 +1243,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb) pktinfo->ipi_ifindex = 0; pktinfo->ipi_spec_dst.s_addr = 0; } - skb_dst_drop(skb); + /* We need to keep the dst for __ip_options_echo() + * We could restrict the test to opt.ts_needtime || opt.srr, + * but the following is good enough as IP options are not often used. + */ + if (unlikely(IPCB(skb)->opt.optlen)) + skb_dst_force(skb); + else + skb_dst_drop(skb); } int ip_setsockopt(struct sock *sk, int level,