linux/net/ipv6
Daniel Borkmann 3a1c756590 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
In tcp_v6_do_rcv() code, when processing pkt options, we soley work
on our skb clone opt_skb that we've created earlier before entering
tcp_rcv_established() on our way. However, only in condition ...

  if (np->rxopt.bits.rxtclass)
    np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

... we work on skb itself. As we extract every other information out
of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
already be released by tcp_rcv_established() earlier on. When we try
to access it in ipv6_hdr(), we will dereference freed skb.

[ Bug added by commit 4c507d2897 ("net: implement IP_RECVTOS for
  IP_PKTOPTIONS") ]

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-04 14:44:41 -04:00
..
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-03 14:55:13 -07:00
addrconf_core.c ipv6: add include file to suppress sparse warnings 2013-06-25 02:44:05 -07:00
addrconf.c ipv6: ipv6_create_tempaddr cleanup 2013-09-03 22:16:50 -04:00
addrlabel.c ipv6: fix null pointer dereference in __ip6addrlbl_add 2013-09-04 14:14:53 -04:00
af_inet6.c net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
ah6.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
anycast.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
datagram.c net: ipv6: Unify {raw,udp}6_sock_seq_show. 2013-06-04 12:56:14 -07:00
esp6.c net: esp{4,6}: fix potential MTU calculation overflows 2013-08-05 12:26:50 -07:00
exthdrs_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
exthdrs.c ipv6: Store Router Alert option in IP6CB directly. 2013-01-13 20:17:14 -05:00
fib6_rules.c ipv6: introduce ip6_rt_put() 2012-11-03 14:59:05 -04:00
icmp.c ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO 2013-09-03 22:11:44 -04:00
inet6_connection_sock.c ipv6: use newly introduced __ipv6_addr_needs_scope_id and ipv6_iface_scope_id 2013-03-08 12:29:22 -05:00
inet6_hashtables.c soreuseport: TCP/IPv6 implementation 2013-01-23 13:44:01 -05:00
ip6_checksum.c ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
ip6_fib.c ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match 2013-08-07 17:17:19 -07:00
ip6_flowlabel.c ipv6 flowlabel: add __rcu annotations 2013-03-07 16:33:10 -05:00
ip6_gre.c ipv6: wire up skb->encapsulation 2013-08-19 09:37:46 +02:00
ip6_icmp.c ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
ip6_input.c ipv6: don't accept node local multicast traffic from the wire 2013-03-29 14:57:33 -04:00
ip6_offload.c MPLS: Add limited GSO support 2013-05-27 22:50:59 -07:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs 2013-08-26 12:46:24 +02:00
ip6_tunnel.c ipv6: wire up skb->encapsulation 2013-08-19 09:37:46 +02:00
ip6mr.c ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup 2013-07-24 17:02:13 -07:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c ipv6: rename datagram_send_ctl and datagram_recv_ctl 2013-01-31 13:53:08 -05:00
Kconfig Tunneling: use IP Tunnel stats APIs. 2013-03-26 12:27:19 -04:00
Makefile net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
mcast.c ipv6,mcast: always hold idev->lock before mca_lock 2013-07-01 23:39:21 -07:00
mip6.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ndisc.c ipv6: Don't depend on per socket memory for neighbour discovery messages 2013-09-04 14:37:41 -04:00
netfilter.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
output_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ping.c net: ipv6: fix wrong ping_v6_sendmsg return value 2013-07-03 17:42:05 -07:00
proc.c snmp6: remove IPSTATS_MIB_CSUMERRORS 2013-05-31 16:26:49 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs 2013-08-26 12:46:24 +02:00
reassembly.c ipv6: drop packets with multiple fragmentation headers 2013-08-20 00:11:24 -07:00
route.c ipv6: handle Redirect ICMP Message with no Redirected Header option 2013-08-22 20:08:21 -07:00
sit.c ipv4 tunnels: fix an oops when using ipip/sit with IPsec 2013-08-30 17:13:28 -04:00
syncookies.c tcp: Remove TCPCT 2013-03-17 14:35:13 -04:00
sysctl_net_ipv6.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
tcp_ipv6.c net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 2013-09-04 14:44:41 -04:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
udp_impl.h ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
udp_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-06-05 16:37:30 -07:00
udp.c net: rename ll methods to busy-poll 2013-07-10 17:08:27 -07:00
udplite.c ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
xfrm6_input.c
xfrm6_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00
xfrm6_output.c xfrm: revert ipv4 mtu determination to dst_mtu 2013-08-26 12:40:53 +02:00
xfrm6_policy.c xfrm6: release dev before returning error 2013-05-11 17:40:15 -07:00
xfrm6_state.c xfrm: make local error reporting more robust 2013-08-14 13:07:12 +02:00
xfrm6_tunnel.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00