rpms / kernel

Clone
Source Code
GIT

Blame ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   f14
  2.   ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch
Blob History Raw
Chuck Ebbert 4d20e68 
From jasowang@redhat.com Sat Oct  8 20:56:54 2011
Chuck Ebbert 4d20e68 
Subject: ipv6: fix NULL dereference in udp6_ufo_fragment()
Chuck Ebbert 4d20e68 
To: gregkh@suse.de, stable@kernel.org
Chuck Ebbert 4d20e68 
From: Jason Wang <jasowang@redhat.com>
Chuck Ebbert 4d20e68 
Cc: davem@davemloft.net, eric.dumazet@gmail.com
Chuck Ebbert 4d20e68 
Date: Sun, 09 Oct 2011 10:56:44 +0800
Chuck Ebbert 4d20e68 
Message-ID: <20111009025644.9437.53281.stgit@dhcp-8-146.nay.redhat.com>
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
From: Jason Wang <jasowang@redhat.com>
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
This patch fixes the issue caused by ef81bb40bf15f350fe865f31fa42f1082772a576
Chuck Ebbert 4d20e68 
which is a backport of upstream 87c48fa3b4630905f98268dde838ee43626a060c. The
Chuck Ebbert 4d20e68 
problem does not exist in upstream.
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
We do not check whether route is attached before trying to assign ip
Chuck Ebbert 4d20e68 
identification through route dest which lead NULL pointer dereference. This
Chuck Ebbert 4d20e68 
happens when host bridge transmit a packet from guest.
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
This patch changes ipv6_select_ident() to accept in6_addr as its paramter and
Chuck Ebbert 4d20e68 
fix the issue by using the destination address in ipv6 header when no route is
Chuck Ebbert 4d20e68 
attached.
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
Signed-off-by: Jason Wang <jasowang@redhat.com>
Chuck Ebbert 4d20e68 
Acked-by: David S. Miller <davem@davemloft.net>
Chuck Ebbert 4d20e68 
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Chuck Ebbert 4d20e68 
---
Chuck Ebbert 4d20e68 
 include/net/ipv6.h    |    2 +-
Chuck Ebbert 4d20e68 
 net/ipv6/ip6_output.c |   10 +++++-----
Chuck Ebbert 4d20e68 
 net/ipv6/udp.c        |    4 +++-
Chuck Ebbert 4d20e68 
 3 files changed, 9 insertions(+), 7 deletions(-)
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
--- a/include/net/ipv6.h
Chuck Ebbert 4d20e68 
+++ b/include/net/ipv6.h
Chuck Ebbert 4d20e68 
@@ -463,7 +463,7 @@ static inline int ipv6_addr_diff(const s
Chuck Ebbert 4d20e68 
 	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
Chuck Ebbert 4d20e68 
 }
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
-extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
Chuck Ebbert 4d20e68 
+extern void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr);
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
 /*
Chuck Ebbert 4d20e68 
  *	Prototypes exported by ipv6
Chuck Ebbert 4d20e68 
--- a/net/ipv6/ip6_output.c
Chuck Ebbert 4d20e68 
+++ b/net/ipv6/ip6_output.c
Chuck Ebbert 4d20e68 
@@ -620,9 +620,9 @@ static u32 __ipv6_select_ident(const str
Chuck Ebbert 4d20e68 
 	return hash + newid;
Chuck Ebbert 4d20e68 
 }
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
Chuck Ebbert 4d20e68 
+void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr)
Chuck Ebbert 4d20e68 
 {
Chuck Ebbert 4d20e68 
-	fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr));
Chuck Ebbert 4d20e68 
+	fhdr->identification = htonl(__ipv6_select_ident(addr));
Chuck Ebbert 4d20e68 
 }
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
 static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
Chuck Ebbert 4d20e68 
@@ -709,7 +709,7 @@ int ip6_fragment(struct sk_buff *skb, in
Chuck Ebbert 4d20e68 
 		skb_reset_network_header(skb);
Chuck Ebbert 4d20e68 
 		memcpy(skb_network_header(skb), tmp_hdr, hlen);
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
-		ipv6_select_ident(fh, rt);
Chuck Ebbert 4d20e68 
+		ipv6_select_ident(fh, &rt->rt6i_dst.addr);
Chuck Ebbert 4d20e68 
 		fh->nexthdr = nexthdr;
Chuck Ebbert 4d20e68 
 		fh->reserved = 0;
Chuck Ebbert 4d20e68 
 		fh->frag_off = htons(IP6_MF);
Chuck Ebbert 4d20e68 
@@ -855,7 +855,7 @@ slow_path:
Chuck Ebbert 4d20e68 
 		fh->nexthdr = nexthdr;
Chuck Ebbert 4d20e68 
 		fh->reserved = 0;
Chuck Ebbert 4d20e68 
 		if (!frag_id) {
Chuck Ebbert 4d20e68 
-			ipv6_select_ident(fh, rt);
Chuck Ebbert 4d20e68 
+			ipv6_select_ident(fh, &rt->rt6i_dst.addr);
Chuck Ebbert 4d20e68 
 			frag_id = fh->identification;
Chuck Ebbert 4d20e68 
 		} else
Chuck Ebbert 4d20e68 
 			fh->identification = frag_id;
Chuck Ebbert 4d20e68 
@@ -1146,7 +1146,7 @@ static inline int ip6_ufo_append_data(st
Chuck Ebbert 4d20e68 
 		skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
Chuck Ebbert 4d20e68 
 					     sizeof(struct frag_hdr)) & ~7;
Chuck Ebbert 4d20e68 
 		skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
Chuck Ebbert 4d20e68 
-		ipv6_select_ident(&fhdr, rt);
Chuck Ebbert 4d20e68 
+		ipv6_select_ident(&fhdr, &rt->rt6i_dst.addr);
Chuck Ebbert 4d20e68 
 		skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
Chuck Ebbert 4d20e68 
 		__skb_queue_tail(&sk->sk_write_queue, skb);
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
--- a/net/ipv6/udp.c
Chuck Ebbert 4d20e68 
+++ b/net/ipv6/udp.c
Chuck Ebbert 4d20e68 
@@ -1309,6 +1309,7 @@ static struct sk_buff *udp6_ufo_fragment
Chuck Ebbert 4d20e68 
 	u8 frag_hdr_sz = sizeof(struct frag_hdr);
Chuck Ebbert 4d20e68 
 	int offset;
Chuck Ebbert 4d20e68 
 	__wsum csum;
Chuck Ebbert 4d20e68 
+	struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
 	mss = skb_shinfo(skb)->gso_size;
Chuck Ebbert 4d20e68 
 	if (unlikely(skb->len <= mss))
Chuck Ebbert 4d20e68 
@@ -1359,7 +1360,8 @@ static struct sk_buff *udp6_ufo_fragment
Chuck Ebbert 4d20e68 
 	fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
Chuck Ebbert 4d20e68 
 	fptr->nexthdr = nexthdr;
Chuck Ebbert 4d20e68 
 	fptr->reserved = 0;
Chuck Ebbert 4d20e68 
-	ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
Chuck Ebbert 4d20e68 
+	ipv6_select_ident(fptr,
Chuck Ebbert 4d20e68 
+			  rt ? &rt->rt6i_dst.addr : &ipv6_hdr(skb)->daddr);
Chuck Ebbert 4d20e68
Chuck Ebbert 4d20e68 
 	/* Fragment the skb. ipv6 header and the remaining fields of the
Chuck Ebbert 4d20e68 
 	 * fragment header are updated in ipv6_gso_segment()
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.