Commit 1ac06e03 authored May 20, 2008 by Herbert Xu Committed by David S. Miller May 20, 2008

ipsec: Use the correct ip_local_out function



Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 6f704992

net/ipv4/route.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -160,7 +160,7 @@ static struct dst_ops ipv4_dst_ops = {
		.negative_advice = ipv4_negative_advice,
		.link_failure = ipv4_link_failure,
		.update_pmtu = ip_rt_update_pmtu,
		.local_out = ip_local_out,
		.local_out = __ip_local_out,
		.entry_size = sizeof(struct rtable),
		.entries = ATOMIC_INIT(0),
		};

net/ipv6/route.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -109,7 +109,7 @@ static struct dst_ops ip6_dst_ops_template = {
		.negative_advice = ip6_negative_advice,
		.link_failure = ip6_link_failure,
		.update_pmtu = ip6_rt_update_pmtu,
		.local_out = ip6_local_out,
		.local_out = __ip6_local_out,
		.entry_size = sizeof(struct rt6_info),
		.entries = ATOMIC_INIT(0),
		};