From: Jean Sacren <sakiwit@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Daniel Borkmann <dborkman@redhat.com>,
davem@davemloft.net, netdev@vger.kernel.org,
yoshfuji@linux-ipv6.org
Subject: Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
Date: Tue, 3 Sep 2013 13:46:20 -0600 [thread overview]
Message-ID: <20130903194620.GE8262@mail.gmail.com> (raw)
In-Reply-To: <1378230513.7360.37.camel@edumazet-glaptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 03 Sep 2013 10:48:33 -0700
>
> On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> > In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> > on our skb clone opt_skb that we've created earlier before entering
> > tcp_rcv_established() on our way. However, only in condition ...
> >
> > if (np->rxopt.bits.rxtclass)
> > np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> >
> > ... we work on skb itself. As we extract every other information out
> > of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> > already be released by tcp_rcv_established() earlier on. When we try
> > to access it in ipv6_hdr(), we will dereference freed skb.
> >
> > Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> > Cc: Eric Dumazet <eric.dumazet@gmail.com>
> > ---
> > net/ipv6/tcp_ipv6.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 6e1649d..eeb4cb0 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
> > if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
> > np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
> > if (np->rxopt.bits.rxtclass)
> > - np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
> > if (ipv6_opt_accepted(sk, opt_skb)) {
> > skb_set_owner_r(opt_skb, sk);
> > opt_skb = xchg(&np->pktoptions, opt_skb);
>
> Bug added in commit 4c507d2897bd9b
> ("net: implement IP_RECVTOS for IP_PKTOPTIONS")
>
> CC Jiri
>
> Acked-by: Eric Dumazet <edumazet@google.com>
You made a mistake.
It was introduced in commit e7219858a ("ipv6: Use ipv6_get_dsfield()
instead of ipv6_tclass()").
Cc the right party.
--
Jean Sacren
next prev parent reply other threads:[~2013-09-03 19:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-03 17:29 [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv Daniel Borkmann
2013-09-03 17:48 ` Eric Dumazet
2013-09-03 19:46 ` Jean Sacren [this message]
2013-09-03 20:35 ` Eric Dumazet
2013-09-03 21:59 ` Jean Sacren
2013-09-03 22:25 ` Daniel Borkmann
2013-09-03 22:29 ` Eric Dumazet
2013-09-04 0:51 ` Jean Sacren
2013-09-04 6:26 ` Jiri Benc
2013-09-04 18:57 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130903194620.GE8262@mail.gmail.com \
--to=sakiwit@gmail.com \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.