linux/net
Eric Dumazet 64f3b9e203 net: ip_expire() must revalidate route
Commit 4a94445c9a (net: Use ip_route_input_noref() in input path)
added a bug in IP defragmentation handling, in case timeout is fired.

When a frame is defragmented, we use last skb dst field when building
final skb. Its dst is valid, since we are in rcu read section.

But if a timeout occurs, we take first queued fragment to build one ICMP
TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
since we escaped RCU critical section after their queueing. icmp_send()
might dereference a now freed (and possibly reused) part of memory.

Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
the only possible choice.

Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-04 14:04:07 -07:00
..
9p Fix common misspellings 2011-03-31 11:26:23 -03:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q Fix common misspellings 2011-03-31 11:26:23 -03:00
appletalk appletalk: Fix OOPS in atalk_release(). 2011-03-31 18:59:10 -07:00
atm Merge branch 'for-linus2' of git://git.profusion.mobi/users/lucas/linux-2.6 2011-04-07 11:14:49 -07:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv Fix common misspellings 2011-03-31 11:26:23 -03:00
bluetooth Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-04-22 13:21:38 -07:00
bridge Revert "bridge: Forward reserved group addresses if !STP" 2011-04-21 21:17:25 -07:00
caif caif: performance bugfix - allow radio stack to prioritize packets. 2011-04-11 13:15:58 -07:00
can can: add missing socket check in can/raw release 2011-04-20 12:37:59 -07:00
ceph Merge branch 'for-linus2' of git://git.profusion.mobi/users/lucas/linux-2.6 2011-04-07 11:14:49 -07:00
core networking: inappropriate ioctl operation should return ENOTTY 2011-05-02 15:41:29 -07:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp Fix common misspellings 2011-03-31 11:26:23 -03:00
decnet decnet: Convert to use flowidn where applicable. 2011-03-12 15:08:55 -08:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa dsa/mv88e6131: fix unknown multicast/broadcast forwarding on mv88e6085 2011-04-28 13:35:44 -07:00
econet econet: 4 byte infoleak to the network 2011-03-18 15:12:15 -07:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 ieee802154: Remove hacked CFLAGS in net/ieee802154/Makefile 2011-04-12 15:33:23 -07:00
ipv4 net: ip_expire() must revalidate route 2011-05-04 14:04:07 -07:00
ipv6 sysctl: net: call unregister_net_sysctl_table where needed 2011-05-02 16:12:14 -07:00
ipx ipx: fix ipx_release() 2011-03-21 18:16:39 -07:00
irda irda: fix locking unbalance in irda_sendmsg 2011-04-12 15:29:54 -07:00
iucv Fix common misspellings 2011-03-31 11:26:23 -03:00
key pfkey: fix warning 2011-03-01 22:51:52 -08:00
l2tp l2tp: fix possible oops on l2tp_eth module unload 2011-03-21 18:10:25 -07:00
lapb Net: lapb: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:14 -08:00
llc llc: Fix length check in llc_fixup_skb(). 2011-04-11 18:59:05 -07:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-04-22 13:21:38 -07:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 2011-04-19 11:28:35 -07:00
netlabel Fix common misspellings 2011-03-31 11:26:23 -03:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 21:27:42 -08:00
netrom
packet af_packet: struct socket declared/assigned but unused 2011-03-07 15:51:13 -08:00
phonet Phonet: fix aligned-mode pipe socket buffer header reserve 2011-03-15 14:55:49 -07:00
rds Fix common misspellings 2011-03-31 11:26:23 -03:00
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose Fix common misspellings 2011-03-31 11:26:23 -03:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
sched Fix common misspellings 2011-03-31 11:26:23 -03:00
sctp sctp: fix oops while removed transport still using as retran path 2011-04-12 19:33:51 -07:00
sunrpc Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2011-04-08 11:47:35 -07:00
tipc Fix common misspellings 2011-03-31 11:26:23 -03:00
unix af_unix: Only allow recv on connected seqpacket sockets. 2011-05-01 23:16:28 -07:00
wanrouter Fix common misspellings 2011-03-31 11:26:23 -03:00
wimax
wireless Merge branch 'for-linus2' of git://git.profusion.mobi/users/lucas/linux-2.6 2011-04-07 11:14:49 -07:00
x25 Fix common misspellings 2011-03-31 11:26:23 -03:00
xfrm xfrm: Check for the new replay implementation if an esn state is inserted 2011-04-26 12:46:04 -07:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig net: RPS: Enable hardware acceleration of RFS 2011-01-24 14:53:01 -08:00
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
nonet.c
socket.c Fix common misspellings 2011-03-31 11:26:23 -03:00
sysctl_net.c
TUNABLE