From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: [IPV4]: route: fix crash ip_route_input Date: Wed, 06 Feb 2008 14:36:57 +0100 Message-ID: <47A9B7F9.3090808@trash.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------060405040509010209010802" Cc: Netfilter Development Mailinglist , "Denis V. Lunev" , Linux Netdev List To: "David S. Miller" Return-path: Sender: netfilter-devel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org This is a multi-part message in MIME format. --------------060405040509010209010802 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit --------------060405040509010209010802 Content-Type: text/x-patch; name="05.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="05.diff" commit dad61a4af7d23146ce67ec2f069f6ba9b75a578d Author: Patrick McHardy Date: Wed Feb 6 14:35:11 2008 +0100 [IPV4]: route: fix crash ip_route_input ip_route_me_harder() may call ip_route_input() with skbs that don't have skb->dev set for skbs rerouted in LOCAL_OUT and TCP resets generated by the REJECT target, resulting in a crash when dereferencing skb->dev->nd_net. Since ip_route_input() has an input device argument, it seems correct to use that one anyway. Bug introduced in b5921910a1 (Routing cache virtualization). Signed-off-by: Patrick McHardy diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 8842ecb..525787b 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2041,7 +2041,7 @@ int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr, int iif = dev->ifindex; struct net *net; - net = skb->dev->nd_net; + net = dev->nd_net; tos &= IPTOS_RT_MASK; hash = rt_hash(daddr, saddr, iif); --------------060405040509010209010802--