Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-01 00:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
199ab00f3c
linux/net
History
WANG Cong 199ab00f3c ipv6: check skb->protocol before lookup for nexthop 
Andrey reported a out-of-bound access in ip6_tnl_xmit(), this
is because we use an ipv4 dst in ip6_tnl_xmit() and cast an IPv4
neigh key as an IPv6 address:

        neigh = dst_neigh_lookup(skb_dst(skb),
                                 &ipv6_hdr(skb)->daddr);
        if (!neigh)
                goto tx_err_link_failure;

        addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
        addr_type = ipv6_addr_type(addr6);

        if (addr_type == IPV6_ADDR_ANY)
                addr6 = &ipv6_hdr(skb)->daddr;

        memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));

Also the network header of the skb at this point should be still IPv4
for 4in6 tunnels, we shold not just use it as IPv6 header.

This patch fixes it by checking if skb->protocol is ETH_P_IPV6: if it
is, we are safe to do the nexthop lookup using skb_dst() and
ipv6_hdr(skb)->daddr; if not (aka IPv4), we have no clue about which
dest address we can pick here, we have to rely on callers to fill it
from tunnel config, so just fall to ip6_route_output() to make the
decision.

Fixes: ea3dc9601b ("ip6_tunnel: Add support for wildcard tunnel endpoints.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-26 14:51:26 -04:00
..
6lowpan 6lowpan: use rb_entry() 2017-01-22 16:46:13 -05:00
9p Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-03-03 21:44:35 -08:00
802 Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
8021q net: remove ndo_neigh_{construct, destroy} from stacked devices 2017-02-06 11:25:57 -05:00
appletalk lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
atm net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
ax25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
batman-adv Here are two batman-adv bugfixes: 2017-03-16 12:05:38 -07:00
bluetooth net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
bridge bridge: move bridge multicast cleanup to ndo_uninit 2017-04-25 14:02:39 -04:00
caif sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h> 2017-03-02 08:42:29 +01:00
can can: bcm: fix hrtimer/tasklet termination in bcm op removal 2017-01-30 11:05:04 +01:00
ceph libceph: force GFP_NOIO for socket allocations 2017-03-23 12:03:36 +01:00
core net: core: Prevent from dereferencing null pointer when releasing SKB 2017-04-26 14:47:14 -04:00
dcb net: dcb: set error code on failures 2016-12-03 23:54:25 -05:00
dccp dccp: fix memory leak during tear-down of unsuccessful connection request 2017-03-13 22:00:42 -07:00
decnet net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
dns_resolver Merge branch 'WIP.sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-03-03 10:16:38 -08:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-02-11 02:31:11 -05:00
ethernet Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
hsr net/hsr: use eth_hw_addr_random() 2017-02-21 13:25:22 -05:00
ieee802154 lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
ife net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
ipv4 udp: disable inner UDP checksum offloads in IPsec case 2017-04-24 13:48:54 -04:00
ipv6 ipv6: check skb->protocol before lookup for nexthop 2017-04-26 14:51:26 -04:00
ipx ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
irda net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
iucv net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
kcm kcm: return immediately after copy_from_user() failure 2017-03-24 13:13:53 -07:00
key af_key: Fix sadb_x_ipsecrequest parsing 2017-04-18 08:26:03 +02:00
l2tp l2tp: don't mask errors in pppol2tp_getsockopt() 2017-04-08 08:29:04 -07:00
l3mdev
lapb Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
llc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
mac80211 mac80211: reject ToDS broadcast data frames 2017-04-20 15:37:46 -04:00
mac802154 sched/headers: Prepare to use <linux/rcuupdate.h> instead of <linux/rculist.h> in <linux/sched.h> 2017-03-02 08:42:38 +01:00
mpls net: mpls: Fix nexthop alive tracking on down events 2017-03-16 20:22:18 -07:00
ncsi net/ncsi: Improve HNCDSC AEN handler 2016-10-20 11:23:08 -04:00
netfilter netfilter: nft_hash: do not dump the auto generated seed 2017-04-13 23:20:13 +02:00
netlabel netlabel: add CALIPSO to the list of built-in protocols 2017-01-06 22:20:45 -05:00
netlink genetlink: fix counting regression on ctrl_dumpfamily() 2017-03-22 15:38:43 -07:00
netrom net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
nfc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
openvswitch openvswitch: Fix ovs_flow_key_update() 2017-04-01 12:16:46 -07:00
packet net/packet: check length in getsockopt() called with PACKET_HDRLEN 2017-04-25 14:05:52 -04:00
phonet net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
psample net: Introduce psample, a new genetlink channel for packet sampling 2017-01-24 13:44:28 -05:00
qrtr net: qrtr: potential use after free in qrtr_sendmsg() 2017-04-21 15:19:27 -04:00
rds net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rfkill rfkill: remove rfkill-regulator 2017-01-24 11:07:35 +01:00
rose net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rxrpc rxrpc: Ignore BUSY packets on old calls 2017-03-16 21:27:57 -07:00
sched net sched actions: allocate act cookie early 2017-04-20 16:32:07 -04:00
sctp sctp: listen on the sock only when it's state is listening or closed 2017-04-06 13:55:51 -07:00
smc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
strparser strparser: destroy workqueue on module exit 2017-03-03 20:43:26 -08:00
sunrpc The restriction of NFSv4 to TCP went overboard and also broke the 2017-04-01 10:43:37 -07:00
switchdev Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-30 12:42:58 -04:00
tipc tipc: fix socket flow control accounting error at tipc_recv_stream 2017-04-25 11:45:38 -04:00
unix net: unix: properly re-increment inflight counter of GC discarded candidates 2017-03-21 15:25:10 -07:00
vmw_vsock vsock: cancel packets when failing to connect 2017-03-21 14:41:47 -07:00
wimax genetlink: mark families as __ro_after_init 2016-10-27 16:16:09 -04:00
wireless cfg80211: check rdev resume callback only for registered wiphy 2017-03-29 09:11:29 +02:00
x25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
xfrm Merge branch 'apw' (xfrm_user fixes) 2017-03-29 13:26:22 -07:00
compat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-02-22 10:15:09 -08:00
Kconfig bpf: make jited programs visible in traces 2017-02-17 13:40:05 -05:00
Makefile net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
socket.c tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS 2017-03-21 18:44:17 -07:00
sysctl_net.c