Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp2459700ybb; Sat, 30 Mar 2019 05:40:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqyQ0RhI7GJOJg6mZrpl/YEJS6U8SjVd492ieQRYiY4pNzKDRahmbKyyF8BE95OtUESHMXZz X-Received: by 2002:a63:7117:: with SMTP id m23mr43980847pgc.271.1553949653328; Sat, 30 Mar 2019 05:40:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553949653; cv=none; d=google.com; s=arc-20160816; b=NfeFzYmJZTZs7NzBv3wpIwxH+tIFd/dzGl90c9eE/UK3AbNLCxZmYgmKZMH0PuzCJR 0sYQzU2qTQmuvjJQETPhL/iV+7ZPDHX/MglCqv2fmV1jhhUT10wdUcEJt6FKUCghMvG5 cLnrKX7n7iQnZ3fdYQvgmq9u42iq/3lzjj42nUkPpdqObRZOD4ZgVGOo0FNxphEFIerA xhLmuirJbUZxVbR0TlwiynF44uyJEIlt3uqsMCIl8kJYhefS5dWfWLmQox8gILKjgZRP 1C921MXoTFBpHujwZPJ2W3B8ytZBXL2EJfJmJMboDwh0ZLGFpFjdpZccccIjx39UeIcJ 53yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=z1Imn7aKQ4wADxXJ1feM6Sc+/9QNkZS/ucmV44dfq1U=; b=TVWrCjFHwxSNn+IeszmOF30thboJF9Lt5RyQFW+wCaW1qy+QYaY374c6Kq4uY/V/fD 1oREIt4FB8+J6VeJ8ZzH4VaU5+3MIbb40PGAjAnjKYwfemQmU6zlm9ZJJ6+mmyTi7TUn Mh6s2+47BzGR+OaP8uGftACb1k82nL6RsDOw+aNmGYAXlzBgb5VFcwaUZBCNjavSl1P5 JTCqHFMa+jnsaWgUY6SY05c2ML6SBK5BUeA86JIkWiq5sVp0CzZi0yDKHCJxVsCB4SUg v6Te6lgGNYQD/z8Nz6htUtl/nLPtagijhTMLgZx9ojLnIMVxss5lM8cs0oMMp84svupx PJCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c7si4318919plo.274.2019.03.30.05.39.59; Sat, 30 Mar 2019 05:40:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730745AbfC3MiT (ORCPT + 99 others); Sat, 30 Mar 2019 08:38:19 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:5767 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730689AbfC3MiT (ORCPT ); Sat, 30 Mar 2019 08:38:19 -0400 Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id E8942ED12A1F47046443; Sat, 30 Mar 2019 20:38:15 +0800 (CST) Received: from [127.0.0.1] (10.184.191.73) by DGGEMS407-HUB.china.huawei.com (10.3.19.207) with Microsoft SMTP Server id 14.3.408.0; Sat, 30 Mar 2019 20:38:05 +0800 Subject: Re: [PATCH net] ipv6: Fix dangling pointer when ipv6 fragment To: Eric Dumazet , , , , , CC: , , References: From: hujunwei Message-ID: <30d10040-50ae-f212-271f-210972436151@huawei.com> Date: Sat, 30 Mar 2019 20:37:40 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Language: en-US X-Originating-IP: [10.184.191.73] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Eri, Thanks for your suggestion, u8 may not enough when the packet have a lot of exthdr. I will update the patch in v2, by the way update Report-by tag. On 2019/3/30 15:57, Eric Dumazet wrote: > > On 03/30/2019 12:48 AM, Eric Dumazet wrote: >> >> On 03/30/2019 12:29 AM, hujunwei wrote: >>> From: Junwei Hu >>> >>> At the beginning of ip6_fragment func, the prevhdr pointer is >>> obtained in the ip6_find_1stfragopt func. >>> However, all the pointers pointing into skb header may change >>> when calling skb_checksum_help func with >>> skb->ip_summed = CHECKSUM_PARTIAL condition. >>> The prevhdr pointe will be dangling if it is not reloaded after >>> calling __skb_linearize func in skb_checksum_help func. >>> >>> Here, I add a variable, nexthdr_offset, to evaluate the offset, >>> which does not changes even after calling __skb_linearize func. >>> > ... > >>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c >>> index edbd12067170..6db3c60b3b66 100644 >>> --- a/net/ipv6/ip6_output.c >>> +++ b/net/ipv6/ip6_output.c >>> @@ -606,12 +606,14 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, >>>      __be32 frag_id; >>>      int ptr, offset = 0, err = 0; >>>      u8 *prevhdr, nexthdr = 0; >>> +    u8 nexthdr_offset; > Why u8 here ? > > I would use "unsigned int" really. > >>>   >>>      err = ip6_find_1stfragopt(skb, &prevhdr); >>>      if (err < 0) >>>          goto fail; >>>      hlen = err; >>>      nexthdr = *prevhdr; >>> +    nexthdr_offset = prevhdr - skb_network_header(skb); >>>   >>>      mtu = ip6_skb_dst_mtu(skb); >>>   >>> @@ -646,6 +648,8 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, >>>          (err = skb_checksum_help(skb))) >>>          goto fail; >>>   >>> +    prevhdr = skb_network_header(skb) + nexthdr_offset; >>> + >>>      hroom = LL_RESERVED_SPACE(rt->dst.dev); >>>      if (skb_has_frag_list(skb)) { >>>          unsigned int first_len = skb_pagelen(skb); >>> > . >