Commit 61792b67 authored Oct 23, 2018 by Florian Westphal Committed by Pablo Neira Ayuso Oct 25, 2018

netfilter: ipv6: fix oops when defragmenting locally generated fragments



Unlike ipv4 and normal ipv6 defrag, netfilter ipv6 defragmentation did
not save/restore skb->dst.

This causes oops when handling locally generated ipv6 fragments, as
output path needs a valid dst.

Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Fixes: 84379c9a ("netfilter: ipv6: nf_defrag: drop skb dst before queueing")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 4f3ebb04

net/ipv6/netfilter/nf_conntrack_reasm.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -587,11 +587,16 @@ int nf_ct_frag6_gather(struct net net, struct sk_buff skb, u32 user)
		*/
		ret = -EINPROGRESS;
		if (fq->q.flags == (INET_FRAG_FIRST_IN \| INET_FRAG_LAST_IN) &&
		fq->q.meat == fq->q.len &&
		nf_ct_frag6_reasm(fq, skb, dev))
		fq->q.meat == fq->q.len) {
		unsigned long orefdst = skb->_skb_refdst;

		skb->_skb_refdst = 0UL;
		if (nf_ct_frag6_reasm(fq, skb, dev))
		ret = 0;
		else
		skb->_skb_refdst = orefdst;
		} else {
		skb_dst_drop(skb);
		}

		out_unlock:
		spin_unlock_bh(&fq->q.lock);