Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 610438b7 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

udp: ipv4: fix potential use after free in udp_v4_early_demux() 



pskb_may_pull() can reallocate skb->head, we need to move the
initialization of iph and uh pointers after its call.

Fixes: 421b3885 ("udp: ipv4: Add udp early demux")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ce232ce0

net/ipv4/udp.c

+6 −3
Original line number Diff line number Diff line
@@ -1909,17 +1909,20 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net, 


void udp_v4_early_demux(struct sk_buff *skb)

{

	const struct iphdr *iph = ip_hdr(skb);

	const struct udphdr *uh = udp_hdr(skb);

	struct net *net = dev_net(skb->dev);

	const struct iphdr *iph;

	const struct udphdr *uh;

	struct sock *sk;

	struct dst_entry *dst;

	struct net *net = dev_net(skb->dev);

	int dif = skb->dev->ifindex;



	/* validate the packet */

	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))

		return;



	iph = ip_hdr(skb);

	uh = udp_hdr(skb);



	if (skb->pkt_type == PACKET_BROADCAST ||

	    skb->pkt_type == PACKET_MULTICAST)

		sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,