ip_vti: fix potential slab-use-after-free in decode_session6 - lwn.git - Linux kernel documentation tree maintained by Jonathan Corbet

diff options

author	Zhengchao Shao <shaozhengchao@huawei.com>	2023-07-10 17:40:53 +0800
committer	Steffen Klassert <steffen.klassert@secunet.com>	2023-07-11 11:06:08 +0200
commit	6018a266279b1a75143c7c0804dd08a5fc4c3e0b (patch)
tree	fc27054e187c4e07eed7ee4bafde7fd848072c94 /net/xfrm
parent	9fd41f1ba638938c9a1195d09bc6fa3be2712f25 (diff)
download	lwn-6018a266279b1a75143c7c0804dd08a5fc4c3e0b.tar.gz lwn-6018a266279b1a75143c7c0804dd08a5fc4c3e0b.zip

ip_vti: fix potential slab-use-after-free in decode_session6

When ip_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ip_vti device sends IPv6 packets. As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to 'net/xfrm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: