Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21b995a9 authored Jan 23, 2017 by Eric Dumazet Committed by David S. Miller Jan 24, 2017

ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()



Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull(),
we must reload any pointer that was related to skb->head
(or skb->data), or risk use after free.

Fixes: c12b395a ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent d0fa28f0

net/ipv6/ip6_gre.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -582,6 +582,9 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff skb, struct net_device dev)
		return -1;

		offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
		/* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
		ipv6h = ipv6_hdr(skb);

		if (offset > 0) {
		struct ipv6_tlv_tnl_enc_lim *tel;
		tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];

net/ipv6/ip6_tunnel.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1303,6 +1303,8 @@ ip6ip6_tnl_xmit(struct sk_buff skb, struct net_device dev)
		fl6.flowlabel = key->label;
		} else {
		offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
		/* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
		ipv6h = ipv6_hdr(skb);
		if (offset > 0) {
		struct ipv6_tlv_tnl_enc_lim *tel;