From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 33/43] ipv6: check skb->protocol before lookup for nexthop
Date: Mon, 1 May 2017 14:27:33 -0700 [thread overview]
Message-ID: <20170501212600.867084632@linuxfoundation.org> (raw)
In-Reply-To: <20170501212559.546911128@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit 199ab00f3cdb6f154ea93fa76fd80192861a821d ]
Andrey reported a out-of-bound access in ip6_tnl_xmit(), this
is because we use an ipv4 dst in ip6_tnl_xmit() and cast an IPv4
neigh key as an IPv6 address:
neigh = dst_neigh_lookup(skb_dst(skb),
&ipv6_hdr(skb)->daddr);
if (!neigh)
goto tx_err_link_failure;
addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
addr_type = ipv6_addr_type(addr6);
if (addr_type == IPV6_ADDR_ANY)
addr6 = &ipv6_hdr(skb)->daddr;
memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
Also the network header of the skb at this point should be still IPv4
for 4in6 tunnels, we shold not just use it as IPv6 header.
This patch fixes it by checking if skb->protocol is ETH_P_IPV6: if it
is, we are safe to do the nexthop lookup using skb_dst() and
ipv6_hdr(skb)->daddr; if not (aka IPv4), we have no clue about which
dest address we can pick here, we have to rely on callers to fill it
from tunnel config, so just fall to ip6_route_output() to make the
decision.
Fixes: ea3dc9601bda ("ip6_tunnel: Add support for wildcard tunnel endpoints.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_tunnel.c | 44 +++++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 21 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1049,7 +1049,7 @@ static int ip6_tnl_xmit2(struct sk_buff
struct ip6_tnl *t = netdev_priv(dev);
struct net *net = t->net;
struct net_device_stats *stats = &t->dev->stats;
- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+ struct ipv6hdr *ipv6h;
struct ipv6_tel_txoption opt;
struct dst_entry *dst = NULL, *ndst = NULL;
struct net_device *tdev;
@@ -1061,26 +1061,28 @@ static int ip6_tnl_xmit2(struct sk_buff
/* NBMA tunnel */
if (ipv6_addr_any(&t->parms.raddr)) {
- struct in6_addr *addr6;
- struct neighbour *neigh;
- int addr_type;
-
- if (!skb_dst(skb))
- goto tx_err_link_failure;
-
- neigh = dst_neigh_lookup(skb_dst(skb),
- &ipv6_hdr(skb)->daddr);
- if (!neigh)
- goto tx_err_link_failure;
-
- addr6 = (struct in6_addr *)&neigh->primary_key;
- addr_type = ipv6_addr_type(addr6);
-
- if (addr_type == IPV6_ADDR_ANY)
- addr6 = &ipv6_hdr(skb)->daddr;
-
- memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
- neigh_release(neigh);
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ struct in6_addr *addr6;
+ struct neighbour *neigh;
+ int addr_type;
+
+ if (!skb_dst(skb))
+ goto tx_err_link_failure;
+
+ neigh = dst_neigh_lookup(skb_dst(skb),
+ &ipv6_hdr(skb)->daddr);
+ if (!neigh)
+ goto tx_err_link_failure;
+
+ addr6 = (struct in6_addr *)&neigh->primary_key;
+ addr_type = ipv6_addr_type(addr6);
+
+ if (addr_type == IPV6_ADDR_ANY)
+ addr6 = &ipv6_hdr(skb)->daddr;
+
+ memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
+ neigh_release(neigh);
+ }
} else if (!(t->parms.flags &
(IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
/* enable the cache only only if the routing decision does
next prev parent reply other threads:[~2017-05-01 21:29 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 21:27 [PATCH 4.4 00/43] 4.4.66-stable review Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 01/43] f2fs: do more integrity verification for superblock Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 02/43] [media] xc2028: unlock on error in xc2028_set_config() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 03/43] ARM: OMAP2+: timer: add probe for clocksources Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 04/43] clk: sunxi: Add apb0 gates for H3 Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 05/43] crypto: testmgr - fix out of bound read in __test_aead() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 06/43] drm/amdgpu: fix array out of bounds Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 07/43] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 08/43] md:raid1: fix a dead loop when read from a WriteMostly disk Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 09/43] MIPS: Fix crash registers on non-crashing CPUs Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 10/43] net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata Greg Kroah-Hartman
2017-05-10 15:30 ` Ben Hutchings
2018-04-06 8:26 ` Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 11/43] net_sched: close another race condition in tcf_mirred_release() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 12/43] RDS: Fix the atomicity for congestion map update Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 13/43] regulator: core: Clear the supply pointer if enabling fails Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 14/43] usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 15/43] xen/x86: dont lose event interrupts Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 16/43] sparc64: kern_addr_valid regression Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 17/43] sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 18/43] net: neigh: guard against NULL solicit() method Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 19/43] net: phy: handle state correctly in phy_stop_machine Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 20/43] l2tp: purge socket queues in the .destruct() callback Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 21/43] net/packet: fix overflow in check for tp_frame_nr Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 22/43] net/packet: fix overflow in check for tp_reserve Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 23/43] l2tp: take reference on sessions being dumped Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 24/43] l2tp: fix PPP pseudo-wire auto-loading Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 25/43] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 26/43] sctp: listen on the sock only when its state is listening or closed Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 27/43] tcp: clear saved_syn in tcp_disconnect() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 29/43] net: ipv6: RTF_PCPU should not be settable from userspace Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 30/43] netpoll: Check for skb->queue_mapping Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 31/43] ip6mr: fix notification device destruction Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 32/43] macvlan: Fix device ref leak when purging bc_queue Greg Kroah-Hartman
2017-05-01 21:27 ` Greg Kroah-Hartman [this message]
2017-05-01 21:27 ` [PATCH 4.4 34/43] ipv6: check raw payload size correctly in ioctl Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 35/43] ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 36/43] ALSA: seq: Dont break snd_use_lock_sync() loop by timeout Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 37/43] MIPS: KGDB: Use kernel context for sleeping threads Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 38/43] MIPS: Avoid BUG warning in arch_check_elf Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 39/43] p9_client_readdir() fix Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 42/43] ARCv2: save r30 on kernel entry as gcc uses it for code-gen Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 43/43] ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram Greg Kroah-Hartman
[not found] ` <59080414.87dfe90a.9590.db81@mx.google.com>
2017-05-02 13:53 ` [PATCH 4.4 00/43] 4.4.66-stable review Shuah Khan
2017-05-02 17:35 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170501212600.867084632@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).