linux/net/ipv6
Mukund Jampala c6f408996c netfilter: ip[6]t_REJECT: fix wrong transport header pointer in TCP reset
The problem occurs when iptables constructs the tcp reset packet.
It doesn't initialize the pointer to the tcp header within the skb.
When the skb is passed to the ixgbe driver for transmit, the ixgbe
driver attempts to access the tcp header and crashes.
Currently, other drivers (such as our 1G e1000e or igb drivers) don't
access the tcp header on transmit unless the TSO option is turned on.

<1>BUG: unable to handle kernel NULL pointer dereference at 0000000d
<1>IP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
<4>*pdpt = 0000000085e5d001 *pde = 0000000000000000
<0>Oops: 0000 [#1] SMP
[...]
<4>Pid: 0, comm: swapper Tainted: P            2.6.35.12 #1 Greencity/Thurley
<4>EIP: 0060:[<d081621c>] EFLAGS: 00010246 CPU: 16
<4>EIP is at ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
<4>EAX: c7628820 EBX: 00000007 ECX: 00000000 EDX: 00000000
<4>ESI: 00000008 EDI: c6882180 EBP: dfc6b000 ESP: ced95c48
<4> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
<0>Process swapper (pid: 0, ti=ced94000 task=ced73bd0 task.ti=ced94000)
<0>Stack:
<4> cbec7418 c779e0d8 c77cc888 c77cc8a8 0903010a 00000000 c77c0008 00000002
<4><0> cd4997c0 00000010 dfc6b000 00000000 d0d176c9 c77cc8d8 c6882180 cbec7318
<4><0> 00000004 00000004 cbec7230 cbec7110 00000000 cbec70c0 c779e000 00000002
<0>Call Trace:
<4> [<d0d176c9>] ? 0xd0d176c9
<4> [<d0d18a4d>] ? 0xd0d18a4d
<4> [<411e243e>] ? dev_hard_start_xmit+0x218/0x2d7
<4> [<411f03d7>] ? sch_direct_xmit+0x4b/0x114
<4> [<411f056a>] ? __qdisc_run+0xca/0xe0
<4> [<411e28b0>] ? dev_queue_xmit+0x2d1/0x3d0
<4> [<411e8120>] ? neigh_resolve_output+0x1c5/0x20f
<4> [<411e94a1>] ? neigh_update+0x29c/0x330
<4> [<4121cf29>] ? arp_process+0x49c/0x4cd
<4> [<411f80c9>] ? nf_hook_slow+0x3f/0xac
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<4121c6d5>] ? T.901+0x38/0x3b
<4> [<4121c918>] ? arp_rcv+0xa3/0xb4
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<411e1173>] ? __netif_receive_skb+0x32b/0x346
<4> [<411e19e1>] ? netif_receive_skb+0x5a/0x5f
<4> [<411e1ea9>] ? napi_skb_finish+0x1b/0x30
<4> [<d0816eb4>] ? ixgbe_xmit_frame_ring+0x1564/0x2260 [ixgbe]
<4> [<41013468>] ? lapic_next_event+0x13/0x16
<4> [<410429b2>] ? clockevents_program_event+0xd2/0xe4
<4> [<411e1b03>] ? net_rx_action+0x55/0x127
<4> [<4102da1a>] ? __do_softirq+0x77/0xeb
<4> [<4102dab1>] ? do_softirq+0x23/0x27
<4> [<41003a67>] ? do_IRQ+0x7d/0x8e
<4> [<41002a69>] ? common_interrupt+0x29/0x30
<4> [<41007bcf>] ? mwait_idle+0x48/0x4d
<4> [<4100193b>] ? cpu_idle+0x37/0x4c
<0>Code: df 09 d7 0f 94 c2 0f b6 d2 e9 e7 fb ff ff 31 db 31 c0 e9 38
ff ff ff 80 78 06 06 0f 85 3e fb ff ff 8b 7c 24 38 8b 8f b8 00 00 00
<0f> b6 51 0d f6 c2 01 0f 85 27 fb ff ff 80 e2 02 75 0d 8b 6c 24
<0>EIP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] SS:ESP

Signed-off-by: Mukund Jampala <jbmukund@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-12-16 23:27:35 +01:00
..
netfilter netfilter: ip[6]t_REJECT: fix wrong transport header pointer in TCP reset 2012-12-16 23:27:35 +01:00
addrconf_core.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
addrconf.c ipv6: Protect ->mc_forwarding access with CONFIG_IPV6_MROUTE 2012-12-04 14:46:34 -05:00
addrlabel.c net: Enable a userns root rtnl calls that are safe for unprivilged users 2012-11-18 20:33:36 -05:00
af_inet6.c net: Make CAP_NET_BIND_SERVICE per user namespace 2012-11-18 20:33:37 -05:00
ah6.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
anycast.c ipv6: avoid taking locks at socket dismantle 2012-12-05 16:01:28 -05:00
datagram.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
esp6.c net: ipv6: fix error return code 2012-08-31 16:27:48 -04:00
exthdrs_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2012-11-30 12:01:30 -05:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
exthdrs.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
fib6_rules.c ipv6: introduce ip6_rt_put() 2012-11-03 14:59:05 -04:00
icmp.c net: Enable some sysctls that are safe for the userns root 2012-11-18 20:33:00 -05:00
inet6_connection_sock.c ipv6: fix inet6_csk_update_pmtu() return value 2012-11-20 15:16:15 -05:00
inet6_hashtables.c net: move inet_dport/inet_num in sock_common 2012-11-30 15:02:56 -05:00
ip6_fib.c ipv6: add support of equal cost multipath (ECMP) 2012-10-23 02:38:32 -04:00
ip6_flowlabel.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
ip6_gre.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
ip6_input.c net: TCP early demux cleanup 2012-07-30 14:53:21 -07:00
ip6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c ipv6: Update ipv6 static library with newly needed functions 2012-11-15 17:39:23 -05:00
ip6_tunnel.c ip6tnl/sit: drop packet if ECN present with not-ECT 2012-11-28 11:37:11 -05:00
ip6mr.c ip6mr: fix rtm_family of rtnl msg 2012-12-04 13:27:24 -05:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
Kconfig gre: Support GRE over IPv6 2012-08-14 14:28:32 -07:00
Makefile ipv6: Fix Makefile offload objects 2012-12-16 09:15:53 -08:00
mcast.c ipv6: avoid taking locks at socket dismantle 2012-12-05 16:01:28 -05:00
mip6.c ipv6: mip6: fix mip6_mh_filter() 2012-09-25 16:04:44 -04:00
ndisc.c ipv6: Change skb->data before using icmpv6_notify() to propagate redirect 2012-12-14 13:14:07 -05:00
netfilter.c netfilter: ipv6: expand skb head in ip6_route_me_harder after oif change 2012-08-30 03:00:15 +02:00
output_core.c ipv6: Update ipv6 static library with newly needed functions 2012-11-15 17:39:23 -05:00
proc.c net: ipv6: proc: Fix error handling 2012-08-14 14:45:07 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
reassembly.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
route.c ipv6: Fix default route failover when CONFIG_IPV6_ROUTER_PREF=n 2012-12-03 15:34:47 -05:00
sit.c ip6tnl/sit: drop packet if ECN present with not-ECT 2012-11-28 11:37:11 -05:00
syncookies.c tcp: better retrans tracking for defer-accept 2012-11-03 14:45:00 -04:00
sysctl_net_ipv6.c net: Enable some sysctls that are safe for the userns root 2012-11-18 20:33:00 -05:00
tcp_ipv6.c inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock 2012-12-14 13:14:07 -05:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
udp_impl.h
udp_offload.c ipv6: Fix build error with udp_offload 2012-11-15 22:48:32 -05:00
udp.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
udplite.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
xfrm6_input.c netfilter: ipv6: use NFPROTO values for NF_HOOK invocation 2010-03-25 16:00:49 +01:00
xfrm6_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_output.c xfrm6: remove unneeded NULL check in __xfrm6_output() 2012-02-01 02:52:48 -05:00
xfrm6_policy.c xfrm6: Remove commented out function call to xfrm6_input_fini 2012-11-16 08:07:56 +01:00
xfrm6_state.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
xfrm6_tunnel.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00