| From foo@baz Tue Oct 16 16:47:53 CEST 2018 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Sun, 30 Sep 2018 11:33:39 -0700 |
| Subject: ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| [ Upstream commit 64199fc0a46ba211362472f7f942f900af9492fd ] |
| |
| Caching ip_hdr(skb) before a call to pskb_may_pull() is buggy, |
| do not do it. |
| |
| Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Cc: Willem de Bruijn <willemb@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Acked-by: Willem de Bruijn <willemb@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/ip_sockglue.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| --- a/net/ipv4/ip_sockglue.c |
| +++ b/net/ipv4/ip_sockglue.c |
| @@ -134,7 +134,6 @@ static void ip_cmsg_recv_security(struct |
| static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) |
| { |
| struct sockaddr_in sin; |
| - const struct iphdr *iph = ip_hdr(skb); |
| __be16 *ports; |
| int end; |
| |
| @@ -149,7 +148,7 @@ static void ip_cmsg_recv_dstaddr(struct |
| ports = (__be16 *)skb_transport_header(skb); |
| |
| sin.sin_family = AF_INET; |
| - sin.sin_addr.s_addr = iph->daddr; |
| + sin.sin_addr.s_addr = ip_hdr(skb)->daddr; |
| sin.sin_port = ports[1]; |
| memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); |
| |
