Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753399AbdFQW0K (ORCPT ); Sat, 17 Jun 2017 18:26:10 -0400 Received: from fldsmtpe03.verizon.com ([140.108.26.142]:25095 "EHLO fldsmtpe03.verizon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753351AbdFQW0B (ORCPT ); Sat, 17 Jun 2017 18:26:01 -0400 X-IronPort-Anti-Spam-Filtered: false From: "Levin, Alexander (Sasha Levin)" Cc: Eric Dumazet , Dmitry Kozlov , "David S . Miller" , "Levin, Alexander (Sasha Levin)" X-IronPort-AV: E=Sophos;i="5.39,316,1493683200"; d="scan'208";a="220489076" X-Host: discovery.odc.vzwcorp.com To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: [PATCH for v4.9 LTS 46/86] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() Thread-Topic: [PATCH for v4.9 LTS 46/86] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() Thread-Index: AQHS57iE23oD6tcQlUGLw0NcRSwjag== Date: Sat, 17 Jun 2017 22:24:43 +0000 Message-ID: <20170617222420.19316-46-alexander.levin@verizon.com> References: <20170617222420.19316-1-alexander.levin@verizon.com> In-Reply-To: <20170617222420.19316-1-alexander.levin@verizon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.144.60.250] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v5HMXReu022507 Content-Length: 1676 Lines: 47 From: Eric Dumazet [ Upstream commit 21b995a9cb093fff33ec91d7cb3822b882a90a1e ] Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull(), we must reload any pointer that was related to skb->head (or skb->data), or risk use after free. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet Cc: Dmitry Kozlov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/ip6_gre.c | 3 +++ net/ipv6/ip6_tunnel.c | 2 ++ 2 files changed, 5 insertions(+) diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 0a5922055da2..a5fdc1aa7a9a 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -582,6 +582,9 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev) return -1; offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); + /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ + ipv6h = ipv6_hdr(skb); + if (offset > 0) { struct ipv6_tlv_tnl_enc_lim *tel; tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset]; diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 116b4da06820..63fad2467a7e 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -1313,6 +1313,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) fl6.flowlabel = key->label; } else { offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); + /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ + ipv6h = ipv6_hdr(skb); if (offset > 0) { struct ipv6_tlv_tnl_enc_lim *tel; -- 2.11.0