Home Verkennen Help
Registreren Inloggen
phyus
/
linux-vybrid_public
8
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

net: ip_expire() must revalidate route

Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
added a bug in IP defragmentation handling, in case timeout is fired.

When a frame is defragmented, we use last skb dst field when building
final skb. Its dst is valid, since we are in rcu read section.

But if a timeout occurs, we take first queued fragment to build one ICMP
TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
since we escaped RCU critical section after their queueing. icmp_send()
might dereference a now freed (and possibly reused) part of memory.

Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
the only possible choice.

Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet 14 jaren geleden
bovenliggende
ff538818f4
commit
64f3b9e203
1 gewijzigde bestanden met toevoegingen van 15 en 16 verwijderingen
Gecombineerde weergave Toon Diff Stats
  1. 15 16
      net/ipv4/ip_fragment.c

+ 15 - 16
net/ipv4/ip_fragment.c
Bestand weergeven 

@@ -223,31 +223,30 @@ static void ip_expire(unsigned long arg)
 
 
 
 	if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
 
 	if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
 
 		struct sk_buff *head = qp->q.fragments;
 
 		struct sk_buff *head = qp->q.fragments;
 
+		const struct iphdr *iph;
 
+		int err;
 
 
 
 		rcu_read_lock();
 
 		rcu_read_lock();
 
 		head->dev = dev_get_by_index_rcu(net, qp->iif);
 
 		head->dev = dev_get_by_index_rcu(net, qp->iif);
 
 		if (!head->dev)
 
 		if (!head->dev)
 
 			goto out_rcu_unlock;
 
 			goto out_rcu_unlock;
 
 
 
+		/* skb dst is stale, drop it, and perform route lookup again */
 
+		skb_dst_drop(head);
 
+		iph = ip_hdr(head);
 
+		err = ip_route_input_noref(head, iph->daddr, iph->saddr,
 
+					   iph->tos, head->dev);
 
+		if (err)
 
+			goto out_rcu_unlock;
 
+
 
 		/*
 
 		/*
 
-		 * Only search router table for the head fragment,
 
-		 * when defraging timeout at PRE_ROUTING HOOK.
 
+		 * Only an end host needs to send an ICMP
 
+		 * "Fragment Reassembly Timeout" message, per RFC792.
 
 		 */
 
 		 */
 
-		if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
 
-			const struct iphdr *iph = ip_hdr(head);
 
-			int err = ip_route_input(head, iph->daddr, iph->saddr,
 
-						 iph->tos, head->dev);
 
-			if (unlikely(err))
 
-				goto out_rcu_unlock;
 
-
 
-			/*
 
-			 * Only an end host needs to send an ICMP
 
-			 * "Fragment Reassembly Timeout" message, per RFC792.
 
-			 */
 
-			if (skb_rtable(head)->rt_type != RTN_LOCAL)
 
-				goto out_rcu_unlock;
 
+		if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
 
+		    skb_rtable(head)->rt_type != RTN_LOCAL)
 
+			goto out_rcu_unlock;
 
 
 
-		}
 
 
 
 		/* Send an ICMP "Fragment Reassembly Timeout" message. */
 
 		/* Send an ICMP "Fragment Reassembly Timeout" message. */
 
 		icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
 
 		icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);