OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/net/ipv6
History
Daniel Borkmann 3a1c756590 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 
In tcp_v6_do_rcv() code, when processing pkt options, we soley work
on our skb clone opt_skb that we've created earlier before entering
tcp_rcv_established() on our way. However, only in condition ...

  if (np->rxopt.bits.rxtclass)
    np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

... we work on skb itself. As we extract every other information out
of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
already be released by tcp_rcv_established() earlier on. When we try
to access it in ipv6_hdr(), we will dereference freed skb.

[ Bug added by commit 4c507d2897 ("net: implement IP_RECVTOS for
  IP_PKTOPTIONS") ]

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2013-09-04 14:44:41 -04:00
..
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-03 14:55:13 -07:00
Kconfig
Makefile net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
addrconf.c ipv6: ipv6_create_tempaddr cleanup 2013-09-03 22:16:50 -04:00
addrconf_core.c ipv6: add include file to suppress sparse warnings 2013-06-25 02:44:05 -07:00
addrlabel.c ipv6: fix null pointer dereference in __ip6addrlbl_add 2013-09-04 14:14:53 -04:00
af_inet6.c net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
ah6.c
anycast.c
datagram.c net: ipv6: Unify {raw,udp}6_sock_seq_show. 2013-06-04 12:56:14 -07:00
esp6.c net: esp{4,6}: fix potential MTU calculation overflows 2013-08-05 12:26:50 -07:00
exthdrs.c
exthdrs_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
exthdrs_offload.c
fib6_rules.c
icmp.c ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO 2013-09-03 22:11:44 -04:00
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match 2013-08-07 17:17:19 -07:00
ip6_flowlabel.c
ip6_gre.c ipv6: wire up skb->encapsulation 2013-08-19 09:37:46 +02:00
ip6_icmp.c ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
ip6_input.c
ip6_offload.c MPLS: Add limited GSO support 2013-05-27 22:50:59 -07:00
ip6_offload.h
ip6_output.c ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs 2013-08-26 12:46:24 +02:00
ip6_tunnel.c ipv6: wire up skb->encapsulation 2013-08-19 09:37:46 +02:00
ip6mr.c ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup 2013-07-24 17:02:13 -07:00
ipcomp6.c
ipv6_sockglue.c
mcast.c ipv6,mcast: always hold idev->lock before mca_lock 2013-07-01 23:39:21 -07:00
mip6.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ndisc.c ipv6: Don't depend on per socket memory for neighbour discovery messages 2013-09-04 14:37:41 -04:00
netfilter.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
output_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ping.c net: ipv6: fix wrong ping_v6_sendmsg return value 2013-07-03 17:42:05 -07:00
proc.c snmp6: remove IPSTATS_MIB_CSUMERRORS 2013-05-31 16:26:49 -07:00
protocol.c
raw.c ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs 2013-08-26 12:46:24 +02:00
reassembly.c ipv6: drop packets with multiple fragmentation headers 2013-08-20 00:11:24 -07:00
route.c ipv6: handle Redirect ICMP Message with no Redirected Header option 2013-08-22 20:08:21 -07:00
sit.c ipv4 tunnels: fix an oops when using ipip/sit with IPsec 2013-08-30 17:13:28 -04:00
syncookies.c
sysctl_net_ipv6.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
tcp_ipv6.c net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 2013-09-04 14:44:41 -04:00
tcpv6_offload.c
tunnel6.c
udp.c net: rename ll methods to busy-poll 2013-07-10 17:08:27 -07:00
udp_impl.h ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
udp_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-06-05 16:37:30 -07:00
udplite.c ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c xfrm: revert ipv4 mtu determination to dst_mtu 2013-08-26 12:40:53 +02:00
xfrm6_policy.c xfrm6: release dev before returning error 2013-05-11 17:40:15 -07:00
xfrm6_state.c xfrm: make local error reporting more robust 2013-08-14 13:07:12 +02:00
xfrm6_tunnel.c