qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ip_vti: fix potential slab-use-after-free in decode_session6 

JIRA: https://issues.redhat.com/browse/RHEL-14517
Tested: basic ipsec tests

commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Jul 10 17:40:53 2023 +0800

    ip_vti: fix potential slab-use-after-free in decode_session6

    When ip_vti device is set to the qdisc of the sfb type, the cb field
    of the sent skb may be modified during enqueuing. Then,
    slab-use-after-free may occur when ip_vti device sends IPv6 packets.
    As commit f855691975 ("xfrm6: Fix the nexthdr offset in
    _decode_session6.") showed, xfrm_decode_session was originally intended
    only for the receive path. IP6CB(skb)->nhoff is not set during
    transmission. Therefore, set the cb field in the skb to 0 before
    sending packets.

    Fixes: f855691975 ("xfrm6: Fix the nexthdr offset in _decode_session6.")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
This commit is contained in:
Sabrina Dubroca 2023-10-25 22:53:55 +02:00
parent 5c84b6d291
commit e6be13dcdc
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
net/ipv4/ip_vti.c
View File

@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
switch (skb->protocol) {
case htons(ETH_P_IP):
xfrm_decode_session(skb, &fl, AF_INET);
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
xfrm_decode_session(skb, &fl, AF_INET);
break;
case htons(ETH_P_IPV6):
xfrm_decode_session(skb, &fl, AF_INET6);
memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
xfrm_decode_session(skb, &fl, AF_INET6);
break;
default:
goto tx_err;