Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af443b6d authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: ipt_REJECT: fix memory corruption 



On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder()
reallocates the skb, leading to memory corruption when using the stale
tcph pointer to update the checksum.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2e47c264

net/ipv4/netfilter/ipt_REJECT.c

+9 −7
Original line number Diff line number Diff line
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *oldskb, int hook) 
	tcph->window = 0;

	tcph->urg_ptr = 0;



	/* Adjust TCP checksum */

	tcph->check = 0;

	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),

				   nskb->nh.iph->saddr,

				   nskb->nh.iph->daddr,

				   csum_partial((char *)tcph,

						sizeof(struct tcphdr), 0));



	/* Set DF, id = 0 */

	nskb->nh.iph->frag_off = htons(IP_DF);

	nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ static void send_reset(struct sk_buff *oldskb, int hook) 
	if (ip_route_me_harder(&nskb, addr_type))

		goto free_nskb;



	/* Adjust TCP checksum */

	nskb->ip_summed = CHECKSUM_NONE;

	tcph->check = 0;

	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),

				   nskb->nh.iph->saddr,

				   nskb->nh.iph->daddr,

				   csum_partial((char *)tcph,

						sizeof(struct tcphdr), 0));



	/* Adjust IP TTL */

	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);