From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Bernhard Thaler <bernhard.thaler@wvnet.at>
Cc: kadlec@blackhole.kfki.hu, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org
Subject: Re: [PATCH 1/1] bridge: forward IPv6 fragmented packets when passing netfilter
Date: Tue, 20 Jan 2015 18:28:05 +0100 [thread overview]
Message-ID: <20150120172805.GA11456@salvia> (raw)
In-Reply-To: <1421628209-5064-1-git-send-email-bernhard.thaler@wvnet.at>
On Mon, Jan 19, 2015 at 01:43:29AM +0100, Bernhard Thaler wrote:
> ip6_fragment() in net/ipv6/ip6_output.c was changed due to a NULL pointer de-
> reference happening when handling packets coming from br_nf_dev_queue_xmit().
> When calling IP6_INC_STATS(), ip6_dst_idev(skb_dst(skb)) did crash the kernel
> like this:
>
> BUG: unable to handle kernel NULL pointer dereference at 000000000000037a
> IP: [<ffffffff814cba2a>] ip6_fragment+0x99a/0x1290
> PGD 3bc3f067 PUD 3bc12067 PMD 0
> Oops: 0000 [#1] SMP
> ...
>
> So in6_dev_get(skb->dev) is used to set a variable "idev" which is used to call
> IP6_INC_STATS() later on. It is assumed that this also solves other occasions
> where ip6_fragment() will be called that may cause the same crash. However,
> a better fix would be to check for the missing element causing the NULL pointer
> dereference and only setting it when it is missing.
IP6_INC_STATS() handles null idev pointers. I suspect the struct
fake_rtable in struct net_bridge (see net/bridge/br_private.h) needs
to be converted to something like:
union {
struct rtable fake_rtable;
struct rt6_info fake_rt6_info;
};
just to allocate enough room for it.
> ip6_fragment() is further changed to use nf_bridge_mtu_reduction(skb) as it is
> done in the IPv4 code.
This specific change looks the same to what we have in IPv4, so no
objections.
Thanks.
next prev parent reply other threads:[~2015-01-20 17:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-19 0:43 [PATCH 1/1] bridge: forward IPv6 fragmented packets when passing netfilter Bernhard Thaler
2015-01-20 17:28 ` Pablo Neira Ayuso [this message]
2015-01-22 23:27 ` [PATCHv2 " Bernhard Thaler
2015-01-22 23:49 ` Florian Westphal
2015-01-27 1:22 ` [PATCHv3 " Bernhard Thaler
2015-01-27 9:39 ` Florian Westphal
2015-01-27 23:15 ` [PATCHv4 RFC " Bernhard Thaler
2015-01-30 17:17 ` Pablo Neira Ayuso
2015-01-30 17:25 ` Pablo Neira Ayuso
2015-03-18 21:53 ` [PATCH 2/4] " Bernhard Thaler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150120172805.GA11456@salvia \
--to=pablo@netfilter.org \
--cc=bernhard.thaler@wvnet.at \
--cc=coreteam@netfilter.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.