Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0c7930e5 authored by Liping Zhang's avatar Liping Zhang Committed by Pablo Neira Ayuso
Browse files

netfilter: make it safer during the inet6_dev->addr_list traversal 



inet6_dev->addr_list is protected by inet6_dev->lock, so only using
rcu_read_lock is not enough, we should acquire read_lock_bh(&idev->lock)
before the inet6_dev->addr_list traversal.

Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 3173d5b8

net/netfilter/nf_nat_redirect.c

+2 −0
Original line number Diff line number Diff line
@@ -101,11 +101,13 @@ nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, 
		rcu_read_lock();

		idev = __in6_dev_get(skb->dev);

		if (idev != NULL) {

			read_lock_bh(&idev->lock);

			list_for_each_entry(ifa, &idev->addr_list, if_list) {

				newdst = ifa->addr;

				addr = true;

				break;

			}

			read_unlock_bh(&idev->lock);

		}

		rcu_read_unlock();

net/netfilter/xt_TPROXY.c

+4 −1
Original line number Diff line number Diff line
@@ -393,7 +393,8 @@ tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, 


	rcu_read_lock();

	indev = __in6_dev_get(skb->dev);

	if (indev)

	if (indev) {

		read_lock_bh(&indev->lock);

		list_for_each_entry(ifa, &indev->addr_list, if_list) {

			if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED))

				continue;
@@ -401,6 +402,8 @@ tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, 
			laddr = &ifa->addr;

			break;

		}

		read_unlock_bh(&indev->lock);

	}

	rcu_read_unlock();



	return laddr ? laddr : daddr;