Commit a9915a1b authored Aug 20, 2012 by Eric Dumazet Committed by David S. Miller Aug 21, 2012

ipv4: fix ip header ident selection in __ip_make_skb()

Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().

It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.

This is a bug uncovered by commit 1d861aa4 (inet: Minimize use of
cached route inetpeer.)

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131



Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 1a7b27c9

net/ipv4/ip_output.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1338,10 +1338,10 @@ struct sk_buff __ip_make_skb(struct sock sk,
	iph->ihl = 5;		iph->ihl = 5;
	iph->tos = inet->tos;		iph->tos = inet->tos;
	iph->frag_off = df;		iph->frag_off = df;
	ip_select_ident(iph, &rt->dst, sk);
	iph->ttl = ttl;		iph->ttl = ttl;
	iph->protocol = sk->sk_protocol;		iph->protocol = sk->sk_protocol;
	ip_copy_addrs(iph, fl4);		ip_copy_addrs(iph, fl4);
			ip_select_ident(iph, &rt->dst, sk);

	if (opt) {		if (opt) {
	iph->ihl += opt->optlen>>2;		iph->ihl += opt->optlen>>2;