[PATCH 1/3] netfilter: Fix potential use after free in ip6_route_me_harder()

[PATCH 1/3] netfilter: Fix potential use after free in ip6_route_me_harder()

[Sergey Popovich]

Dst is released one line before we access it again with dst->error.

Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
---
 net/ipv6/netfilter.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 95f3f1d..d38e6a8 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb)
 		.daddr = iph->daddr,
 		.saddr = iph->saddr,
 	};
+	int err;
 
 	dst = ip6_route_output(net, skb->sk, &fl6);
-	if (dst->error) {
+	err = dst->error;
+	if (err) {
 		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
 		LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
 		dst_release(dst);
-		return dst->error;
+		return err;
 	}
 
 	/* Drop old route. */
-- 
1.8.3.4

Re: [PATCH 1/3] netfilter: Fix potential use after free in ip6_route_me_harder()

[David Miller]

From: Sergey Popovich <popovich_sergei@mail.ru>
Date: Tue,  6 May 2014 18:17:19 +0300

> Dst is released one line before we access it again with dst->error.
> 
> Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
> ip6_route_me_harder()
> 
> Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>

Sergey, please do not submit patch series crossing multiple maintainers
(here Netfilter vs. generic networking) without first coordinating with
those maintainers as to who will take your entire series in.

Another option is to submit things in the usual manner, submit the
netfilter change to the netfilter maintainer, and then seperately
the other two patches to me.

I'm dropping these patches.