Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dfb98836 authored by Haishuang Yan's avatar Haishuang Yan Committed by Greg Kroah-Hartman
Browse files

ip6_tunnel: fix possible use-after-free on xmit 



[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ]

ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
can cause a possible use-after-free accessing iph/ipv6h pointer
since the packet will be 'uncloned' running pskb_expand_head if
it is a cloned gso skb.

Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 00a8794f

net/ipv6/ip6_tunnel.c

+4 −4
Original line number Diff line number Diff line
@@ -1275,11 +1275,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) 
			fl6.flowi6_mark = skb->mark;

	}



	dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));



	if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))

		return -1;



	dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));



	skb_set_inner_ipproto(skb, IPPROTO_IPIP);



	err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
@@ -1362,11 +1362,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) 
			fl6.flowi6_mark = skb->mark;

	}



	dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));



	if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))

		return -1;



	dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));



	skb_set_inner_ipproto(skb, IPPROTO_IPV6);



	err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,