[PATCH net] fix null-deref in ipv4_link_failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kyle Zeng <zengyhkyle@gmail.com>
To: pabeni@redhat.com, dsahern@kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, ssuryaextr@gmail.com
Subject: [PATCH net] fix null-deref in ipv4_link_failure
Date: Thu, 7 Sep 2023 20:18:20 -0700	[thread overview]
Message-ID: <ZPqSfGGAwa1I69Sm@westworld> (raw)

Currently, we assume the skb is associated with a device before calling
__ip_options_compile, which is not always the case if it is re-routed by
ipvs.
When skb->dev is NULL, dev_net(skb->dev) will become null-dereference.
This patch adds a check for the edge case and switch to use the net_device
from the rtable when skb->dev is NULL.

Suggested-by: Paolo Abeni<pabeni@redhat.com>
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
---
 net/ipv4/route.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index d8c99bdc617..1be34e5eea1 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1214,6 +1214,7 @@ EXPORT_INDIRECT_CALLABLE(ipv4_dst_check);
 static void ipv4_send_dest_unreach(struct sk_buff *skb)
 {
 	struct ip_options opt;
+	struct net_device *dev;
 	int res;
 
 	/* Recompile ip options since IPCB may not be valid anymore.
@@ -1230,7 +1231,8 @@ static void ipv4_send_dest_unreach(struct sk_buff *skb)
 		opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
 
 		rcu_read_lock();
-		res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
+		dev = skb->dev ? skb->dev : skb_rtable(skb)->dst.dev;
+		res = __ip_options_compile(dev_net(dev), &opt, skb, NULL);
 		rcu_read_unlock();
 
 		if (res)
-- 
2.34.1

next             reply	other threads:[~2023-09-08  3:18 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-08  3:18 Kyle Zeng [this message]
2023-09-08 20:13 ` [PATCH net] fix null-deref in ipv4_link_failure Vadim Fedorenko
2023-09-11  4:36 ` David Ahern
2023-09-11  6:09 ` Paolo Abeni
  -- strict thread matches above, loose matches on Subject: below --
2023-09-12  2:35 Kyle Zeng
2023-09-12 15:58 ` David Ahern
2023-09-14  9:17 ` Paolo Abeni

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d8c99bdc61 dfblob:1be34e5eea )
 OR (
bs:"[PATCH net] fix null-deref in ipv4_link_failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZPqSfGGAwa1I69Sm@westworld \
    --to=zengyhkyle@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=ssuryaextr@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.