ipv6: protect skb->sk accesses from recursive dereference inside the stack
We should not consult skb->sk for output decisions in xmit recursion levels > 0 in the stack. Otherwise local socket settings could influence the result of e.g. tunnel encapsulation process. ipv6 does not conform with this in three places: 1) ip6_fragment: we do consult ipv6_npinfo for frag_size 2) sk_mc_loop in ipv6 uses skb->sk and checks if we should loop the packet back to the local socket 3) ip6_skb_dst_mtu could query the settings from the user socket and force a wrong MTU Furthermore: In sk_mc_loop we could potentially land in WARN_ON(1) if we use a PF_PACKET socket ontop of an IPv6-backed vxlan device. Reuse xmit_recursion as we are currently only interested in protecting tunnel devices. Cc: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:

committed by
David S. Miller

parent
576b7cd2f6
commit
f60e5990d9
@@ -453,22 +453,6 @@ static __inline__ void inet_reset_saddr(struct sock *sk)
|
||||
|
||||
#endif
|
||||
|
||||
static inline int sk_mc_loop(struct sock *sk)
|
||||
{
|
||||
if (!sk)
|
||||
return 1;
|
||||
switch (sk->sk_family) {
|
||||
case AF_INET:
|
||||
return inet_sk(sk)->mc_loop;
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
case AF_INET6:
|
||||
return inet6_sk(sk)->mc_loop;
|
||||
#endif
|
||||
}
|
||||
WARN_ON(1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
bool ip_call_ra_chain(struct sk_buff *skb);
|
||||
|
||||
/*
|
||||
|
Reference in New Issue
Block a user