Skip to content

Commit

Permalink
ip_vti: fix potential slab-use-after-free in decode_session6
Browse files Browse the repository at this point in the history
[ Upstream commit 6018a26 ]

When ip_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ip_vti device sends IPv6 packets.
As commit f855691 ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.

Fixes: f855691 ("xfrm6: Fix the nexthdr offset in _decode_session6.")
Signed-off-by: Zhengchao Shao <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
  • Loading branch information
zhengchaoshao authored and gregkh committed Aug 23, 2023
1 parent 55ad230 commit 2b05bf5
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions net/ipv4/ip_vti.c
Original file line number Diff line number Diff line change
Expand Up @@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)

switch (skb->protocol) {
case htons(ETH_P_IP):
xfrm_decode_session(skb, &fl, AF_INET);
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
xfrm_decode_session(skb, &fl, AF_INET);
break;
case htons(ETH_P_IPV6):
xfrm_decode_session(skb, &fl, AF_INET6);
memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
xfrm_decode_session(skb, &fl, AF_INET6);
break;
default:
goto tx_err;
Expand Down

0 comments on commit 2b05bf5

Please sign in to comment.