ip_vti: fix potential slab-use-after-free in decode_session6 - linux/linux-stable.git

diff options

author	Zhengchao Shao <shaozhengchao@huawei.com>	2023-07-10 17:40:53 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-08-26 14:23:32 +0200
commit	e1e04cc2ef2c0c0866c19f5627149a76c2baae32 (patch)
tree	6904211aef4c42c917cc8f694224355b5371412b /net/unix/af_unix.c
parent	a1639a82ce14af76b6419778d343ccbff86ee626 (diff)

ip_vti: fix potential slab-use-after-free in decode_session6

[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ] When ip_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ip_vti device sends IPv6 packets. As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: