Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-07 04:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
3a1c756590
linux/net
History
Daniel Borkmann 3a1c756590 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 
In tcp_v6_do_rcv() code, when processing pkt options, we soley work
on our skb clone opt_skb that we've created earlier before entering
tcp_rcv_established() on our way. However, only in condition ...

  if (np->rxopt.bits.rxtclass)
    np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

... we work on skb itself. As we extract every other information out
of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
already be released by tcp_rcv_established() earlier on. When we try
to access it in ipv6_hdr(), we will dereference freed skb.

[ Bug added by commit 4c507d2897 ("net: implement IP_RECVTOS for
  IP_PKTOPTIONS") ]

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-04 14:44:41 -04:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-13 17:42:22 -07:00
802 net/802/mrp: fix lockdep splat 2013-05-14 13:02:30 -07:00
8021q vlan: make vlan_dev_real_dev work over stacked vlans 2013-08-05 12:17:42 -07:00
appletalk net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
atm net: always pass struct netdev_notifier_info to netdevice notifiers 2013-05-28 21:58:54 -07:00
ax25 net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
batman-adv batman-adv: check return type of unicast packet preparations 2013-08-17 20:02:32 +02:00
bluetooth Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2013-07-31 15:11:50 -04:00
bridge net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay 2013-08-30 17:56:47 -04:00
caif net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
can net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
ceph libceph: call r_unsafe_callback when unsafe reply is received 2013-07-03 15:32:58 -07:00
core net: revert 8728c544a9 ("net: dev_pick_tx() fix") 2013-08-30 17:48:04 -04:00
dcb rtnetlink: Remove passing of attributes into rtnl_doit functions 2013-03-22 10:31:16 -04:00
dccp tcp: Remove TCPCT 2013-03-17 14:35:13 -04:00
decnet net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
dns_resolver net: strict_strtoul is obsolete, use kstrtoul instead 2013-07-12 16:09:14 -07:00
dsa dsa: fix freeing of sparse port allocation 2013-03-25 12:23:41 -04:00
ethernet net: Fix sysfs_format_mac() code duplication. 2013-07-16 17:09:22 -07:00
ieee802154 net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
ipv4 ipv4 tunnels: fix an oops when using ipip/sit with IPsec 2013-08-30 17:13:28 -04:00
ipv6 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 2013-09-04 14:44:41 -04:00
ipx net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
irda net/irda: fixed style issues in irlan_eth 2013-07-16 12:16:03 -07:00
iucv net: delete __cpuinit usage from all net files 2013-07-14 19:36:58 -04:00
key af_key: more info leaks in pfkey messages 2013-07-30 16:26:16 -07:00
l2tp l2tp: make datapath resilient to packet loss when sequence numbers enabled 2013-07-02 16:33:25 -07:00
lapb
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-04-07 16:28:01 -04:00
mac80211 mac80211: ibss: fix ignored channel parameter 2013-08-21 15:33:08 +02:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-30 03:55:20 -04:00
mpls MPLS: Add limited GSO support 2013-05-27 22:50:59 -07:00
netfilter netfilter: nf_conntrack: fix tcp_in_window for Fast Open 2013-08-10 18:36:22 +02:00
netlabel netlabel: use domain based selectors when address based selectors are not available 2013-08-02 16:57:01 -07:00
netlink genl: Hold reference on correct module while netlink-dump. 2013-08-28 17:19:17 -04:00
netrom net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
nfc NFC: netlink: Rename CMD_FW_UPLOAD to CMD_FW_DOWNLOAD 2013-07-31 01:19:43 +02:00
openvswitch openvswitch: Reset tunnel key between input and output. 2013-08-14 15:50:36 -07:00
packet packet: restore packet statistics tp_packets to include drops 2013-08-20 17:23:58 -07:00
phonet net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
rds net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
rfkill Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next 2013-04-22 14:58:14 -04:00
rose net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
rxrpc
sched net_sched: restore "linklayer atm" handling 2013-08-15 01:43:08 -07:00
sctp net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption 2013-08-12 22:13:47 -07:00
sunrpc SUNRPC: Fix memory corruption issue on 32-bit highmem systems 2013-08-28 15:43:43 -04:00
tipc tipc: set sk_err correctly when connection fails 2013-08-30 16:06:57 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
vmw_vsock net/vmw_vsock/af_vsock.c: drop unneeded semicolon 2013-08-05 11:07:44 -07:00
wimax
wireless cfg80211: don't request disconnect if not connected 2013-08-14 14:00:19 +02:00
x25 x25: Fix broken locking in ioctl error paths. 2013-07-01 18:15:25 -07:00
xfrm xfrm: Fix potential null pointer dereference in xdst_queue_output 2013-08-28 08:47:14 +02:00
compat.c net: Unbreak compat_sys_{send,recv}msg 2013-06-06 11:52:14 -07:00
Kconfig net: rename CONFIG_NET_LL_RX_POLL to CONFIG_NET_RX_BUSY_POLL 2013-08-01 15:11:17 -07:00
Makefile MPLS: Add limited GSO support 2013-05-27 22:50:59 -07:00
nonet.c
socket.c net: rename CONFIG_NET_LL_RX_POLL to CONFIG_NET_RX_BUSY_POLL 2013-08-01 15:11:17 -07:00
sysctl_net.c