Commit ec13ad1d authored Nov 02, 2015 by Matthias Schiffer Committed by David S. Miller Nov 02, 2015

ipv6: fix crash on ICMPv6 redirects with prohibited/blackholed source



There are other error values besides ip6_null_entry that can be returned by
ip6_route_redirect(): fib6_rule_action() can also result in
ip6_blk_hole_entry and ip6_prohibit_entry if such ip rules are installed.

Only checking for ip6_null_entry in rt6_do_redirect() causes ip6_ins_rt()
to be called with rt->rt6i_table == NULL in these cases, making the kernel
crash.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 4ab42d78

net/ipv6/route.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -2099,7 +2099,6 @@ static int ip6_route_del(struct fib6_config *cfg)

		static void rt6_do_redirect(struct dst_entry dst, struct sock sk, struct sk_buff *skb)
		{
		struct net *net = dev_net(skb->dev);
		struct netevent_redirect netevent;
		struct rt6_info rt, nrt = NULL;
		struct ndisc_options ndopts;
		@@ -2160,7 +2159,7 @@ static void rt6_do_redirect(struct dst_entry dst, struct sock sk, struct sk_bu
		}

		rt = (struct rt6_info *) dst;
		if (rt == net->ipv6.ip6_null_entry) {
		if (rt->rt6i_flags & RTF_REJECT) {
		net_dbg_ratelimited("rt6_redirect: source isn't a valid nexthop for redirect target\n");
		return;
		}