From patchwork Fri Dec 21 02:00:27 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 207752 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5F5462C00A5 for ; Fri, 21 Dec 2012 13:00:42 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751806Ab2LUCAc (ORCPT ); Thu, 20 Dec 2012 21:00:32 -0500 Received: from mail-da0-f50.google.com ([209.85.210.50]:59103 "EHLO mail-da0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751324Ab2LUCA3 (ORCPT ); Thu, 20 Dec 2012 21:00:29 -0500 Received: by mail-da0-f50.google.com with SMTP id h15so1812420dan.37 for ; Thu, 20 Dec 2012 18:00:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:subject:from:to:cc:content-type:date:message-id :mime-version:x-mailer:content-transfer-encoding; bh=Q9k/tAmS2k5+2tsNa1OXajewFRBPs03sJjiEed/n0pI=; b=SiPRaJb/B1PjWw5zJ+EsBvSReVdIFpA7wSpkyOAv0BsRcAdLdboc4sjSG6pUMHcFrX As4759mImGwH+NxxXzAGaMd8QQB74V3hwnlqsSAldr2pJxfGdenbJHVl26Xetz3f/7mL BhsC2qd0T/ViGEHC6XlBT7zp6H3YXAW3WYlVRZlhjsc96u3lB/qx0K5kwWVfVmLCvQy8 7PyL/H3etkiQ0N79KlCZUiXfVFI9hEWHg6VhZi3hwrX+HyQF2bcnu7YVz+66WBXyUjuh pS3Ekj//37/3QspOgRnFCrwz8zE781c7c2F4lszqQyHxniRgki3Cfx5Vs+wxDacPi0rU 5+FQ== X-Received: by 10.66.76.8 with SMTP id g8mr32844823paw.40.1356055229108; Thu, 20 Dec 2012 18:00:29 -0800 (PST) Received: from ?IPv6:2620:0:1000:3304:224:d7ff:fee3:2a94? ([2620:0:1000:3304:224:d7ff:fee3:2a94]) by mx.google.com with ESMTPS id pl10sm5993583pbc.60.2012.12.20.18.00.28 (version=SSLv3 cipher=OTHER); Thu, 20 Dec 2012 18:00:28 -0800 (PST) Subject: [PATCH] ip_gre: fix possible use after free From: Eric Dumazet To: David Miller Cc: netdev , Isaku Yamahata Date: Thu, 20 Dec 2012 18:00:27 -0800 Message-ID: <1356055227.21834.4097.camel@edumazet-glaptop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet Once skb_realloc_headroom() is called, tiph might point to freed memory. Cache tiph->ttl value before the reallocation, to avoid unexpected behavior. Signed-off-by: Eric Dumazet Cc: Isaku Yamahata --- net/ipv4/ip_gre.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index a85ae2f..4c22e70 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -750,6 +750,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev int gre_hlen; __be32 dst; int mtu; + u8 ttl; if (skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_help(skb)) @@ -812,6 +813,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev goto tx_error; } + ttl = tiph->ttl; tos = tiph->tos; if (tos == 1) { tos = 0; @@ -904,6 +906,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev dev_kfree_skb(skb); skb = new_skb; old_iph = ip_hdr(skb); + /* Warning : tiph value might point to freed memory */ } skb_reset_transport_header(skb); @@ -927,8 +930,9 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev iph->tos = ipgre_ecn_encapsulate(tos, old_iph, skb); iph->daddr = fl4.daddr; iph->saddr = fl4.saddr; + iph->ttl = ttl; - if ((iph->ttl = tiph->ttl) == 0) { + if (ttl == 0) { if (skb->protocol == htons(ETH_P_IP)) iph->ttl = old_iph->ttl; #if IS_ENABLED(CONFIG_IPV6)