Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbd6528d authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

ipv6: fix possible use-after-free in ip6_xmit()



In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
we need to call skb_set_owner_w() before consuming original skb,
otherwise we risk a use-after-free.

Bring IPv6 in line with what we do in IPv4 to fix this.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a7f38002
Loading
Loading
Loading
Loading
+2 −4
Original line number Diff line number Diff line
@@ -219,12 +219,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
				kfree_skb(skb);
				return -ENOBUFS;
			}
			if (skb->sk)
				skb_set_owner_w(skb2, skb->sk);
			consume_skb(skb);
			skb = skb2;
			/* skb_set_owner_w() changes sk->sk_wmem_alloc atomically,
			 * it is safe to call in our context (socket lock not held)
			 */
			skb_set_owner_w(skb, (struct sock *)sk);
		}
		if (opt->opt_flen)
			ipv6_push_frag_opts(skb, opt, &proto);