Commit bbd6528d authored Sep 14, 2018 by Eric Dumazet Committed by David S. Miller Sep 17, 2018

ipv6: fix possible use-after-free in ip6_xmit()



In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
we need to call skb_set_owner_w() before consuming original skb,
otherwise we risk a use-after-free.

Bring IPv6 in line with what we do in IPv4 to fix this.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a7f38002

net/ipv6/ip6_output.c

+2 −4

Original line number	Diff line number	Diff line
		@@ -219,12 +219,10 @@ int ip6_xmit(const struct sock sk, struct sk_buff skb, struct flowi6 *fl6,
		kfree_skb(skb);
		return -ENOBUFS;
		}
		if (skb->sk)
		skb_set_owner_w(skb2, skb->sk);
		consume_skb(skb);
		skb = skb2;
		/* skb_set_owner_w() changes sk->sk_wmem_alloc atomically,
		* it is safe to call in our context (socket lock not held)
		*/
		skb_set_owner_w(skb, (struct sock *)sk);
		}
		if (opt->opt_flen)
		ipv6_push_frag_opts(skb, opt, &proto);