From patchwork Mon May  2 18:19:15 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joe@ovn.org>
X-Patchwork-Id: 617650
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (archives.nicira.com [96.126.127.54])
	by ozlabs.org (Postfix) with ESMTP id 3qzCJg5Fr5z9s9n
	for <incoming@patchwork.ozlabs.org>;
	Tue,  3 May 2016 04:20:03 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id E545510301;
	Mon,  2 May 2016 11:19:42 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 28FB4102EB
	for <dev@openvswitch.org>; Mon,  2 May 2016 11:19:41 -0700 (PDT)
Received: from bar5.cudamail.com (unknown [192.168.21.12])
	by mx1e4.cudamail.com (Postfix) with ESMTPS id A7D271E00D8
	for <dev@openvswitch.org>; Mon,  2 May 2016 12:19:40 -0600 (MDT)
X-ASG-Debug-ID: 1462213180-09eadd604325f90001-byXFYA
Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar5.cudamail.com
	with
	ESMTP id qHFgm0yH3ZURHaWO (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Mon, 02 May 2016 12:19:40 -0600 (MDT)
X-Barracuda-Envelope-From: joe@ovn.org
X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1
Received: from unknown (HELO relay5-d.mail.gandi.net) (217.70.183.197)
	by mx3-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
	2 May 2016 18:19:39 -0000
Received-SPF: pass (mx3-pf2.cudamail.com: SPF record at ovn.org designates
	217.70.183.197 as permitted sender)
X-Barracuda-Apparent-Source-IP: 217.70.183.197
X-Barracuda-RBL-IP: 217.70.183.197
Received: from mfilter29-d.gandi.net (mfilter29-d.gandi.net [217.70.178.160])
	by relay5-d.mail.gandi.net (Postfix) with ESMTP id 686B841C093;
	Mon,  2 May 2016 20:19:38 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter29-d.gandi.net
Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197])
	by mfilter29-d.gandi.net (mfilter29-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id 9jUAZTOY2TBA; Mon,  2 May 2016 20:19:36 +0200 (CEST)
X-Originating-IP: 208.91.1.34
Received: from localhost.localdomain (unknown [208.91.1.34])
	(Authenticated sender: joe@ovn.org)
	by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 7F63D41C088;
	Mon,  2 May 2016 20:19:35 +0200 (CEST)
X-CudaMail-Envelope-Sender: joe@ovn.org
From: Joe Stringer <joe@ovn.org>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-V2-501038014
X-CudaMail-DTE: 050216
X-CudaMail-Originating-IP: 217.70.183.197
Date: Mon,  2 May 2016 11:19:15 -0700
X-ASG-Orig-Subj: [##CM-V2-501038014##][PATCHv2 6/9] compat: nf_defrag_ipv6:
	fix NULL deref panic.
Message-Id: <1462213158-60221-7-git-send-email-joe@ovn.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1462213158-60221-1-git-send-email-joe@ovn.org>
References: <1462213158-60221-1-git-send-email-joe@ovn.org>
X-Barracuda-Connect: UNKNOWN[192.168.14.1]
X-Barracuda-Start-Time: 1462213180
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCHv2 6/9] compat: nf_defrag_ipv6: fix NULL deref
	panic.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Upstream commit:
    netfilter: ipv6: nf_defrag: fix NULL deref panic

    Valdis reports NULL deref in nf_ct_frag6_gather.
    Problem is bogus use of skb_queue_walk() -- we miss first skb in the list
    since we start with head->next instead of head.

    In case the element we're looking for was head->next we won't find
    a result and then trip over NULL iter.

    (defrag uses plain NULL-terminated list rather than one terminated by
     head-of-list-pointer, which is what skb_queue_walk expects).

    Fixes: 029f7f3b8701cc7a ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
    Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
    Tested-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Upstream: e97ac12859db ("netfilter: ipv6: nf_defrag: fix NULL deref panic")
Signed-off-by: Joe Stringer <joe@ovn.org>
---
v2: No changes.
v1: Initial Post.
---
 datapath/linux/compat/nf_conntrack_reasm.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/datapath/linux/compat/nf_conntrack_reasm.c b/datapath/linux/compat/nf_conntrack_reasm.c
index 31c47b487356..5000351e9664 100644
--- a/datapath/linux/compat/nf_conntrack_reasm.c
+++ b/datapath/linux/compat/nf_conntrack_reasm.c
@@ -365,11 +365,14 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_devic
 			return false;
 
 		fp->next = prev->next;
-		skb_queue_walk(head, iter) {
-			if (iter->next != prev)
-				continue;
-			iter->next = fp;
-			break;
+
+		iter = head;
+		while (iter) {
+			if (iter->next == prev) {
+				iter->next = fp;
+				break;
+			}
+			iter = iter->next;
 		}
 
 		skb_morph(prev, head);