LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Patrick McHardy <kaber@trash.net>,
	netfilter-devel@lists.netfilter.org, davem@davemloft.net
Subject: [patch 07/59] NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments
Date: Fri, 02 Feb 2007 18:35:11 -0800	[thread overview]
Message-ID: <20070203023835.125598000@sous-sol.org> (raw)
In-Reply-To: <20070203023504.435051000@sous-sol.org>

[-- Attachment #1: netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch --]
[-- Type: text/plain, Size: 1020 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb->next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.19.2.orig/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ linux-2.6.19.2/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hoo
 		s->nfct_reasm = skb;
 
 		s2 = s->next;
+		s->next = NULL;
+
 		NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
 			       NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
 		s = s2;

--

  parent reply	other threads:[~2007-02-03  2:36 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-03  2:35 [patch 00/59] -stable review Chris Wright
2007-02-03  2:35 ` [patch 01/59] i2c-mv64xxx: Fix random oops at boot Chris Wright
2007-02-03  2:35 ` [patch 02/59] i2c/m41t00: Do not forget to write year Chris Wright
2007-02-03  2:35 ` [patch 03/59] Check for populated zone in __drain_pages Chris Wright
2007-02-03  2:35 ` [patch 04/59] Fix HWRNG built-in initcalls priority Chris Wright
2007-02-03  2:35 ` [patch 05/59] md: pass down BIO_RW_SYNC in raid{1,10} Chris Wright
2007-02-03  2:35 ` [patch 06/59] NETFILTER: Fix routing of REJECT target generated packets in output chain Chris Wright
2007-02-03  2:35 ` Chris Wright [this message]
2007-02-03  2:35 ` [patch 08/59] NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value Chris Wright
2007-02-03  2:35 ` [patch 09/59] NETFILTER: arp_tables: fix userspace compilation Chris Wright
2007-02-03  2:35 ` [patch 10/59] Repair snd-usb-usx2y over OHCI Chris Wright
2007-02-03  2:35 ` [patch 11/59] [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree Chris Wright
2007-02-03  2:35 ` [patch 12/59] [PATCH] Fix reparenting to the same thread group. (take 2) Chris Wright
2007-02-03  2:35 ` [patch 13/59] ieee1394: sbp2: fix probing of some DVD-ROM/RWs Chris Wright
2007-02-03  2:35 ` [patch 14/59] sched: tasks cannot run on cpus onlined after boot Chris Wright
2007-02-03  2:35 ` [patch 15/59] Fix up CIFS for "test_clear_page_dirty()" removal Chris Wright
2007-02-03  2:35 ` [patch 16/59] start_kernel: test if irqs got enabled early, barf, and disable them again Chris Wright
2007-02-03  2:35 ` [patch 17/59] PCI: prevent down_read when pci_devices is empty Chris Wright
2007-02-03 16:16   ` Kumar Gala
2007-02-05 17:04     ` Chris Wright
2007-02-03  2:35 ` [patch 18/59] IPV6 MCAST: Fix joining all-node multicast group on device initialization Chris Wright
2007-02-03  2:35 ` [patch 19/59] NETFILTER: ctnetlink: check for status attribute existence on conntrack creation Chris Wright
2007-02-03  2:35 ` [patch 20/59] NETFILTER: ctnetlink: fix leak in ctnetlink_create_conntrack error path Chris Wright
2007-02-03  2:35 ` [patch 21/59] IPSEC: Policy list disorder Chris Wright
2007-02-03  2:35 ` [patch 22/59] ALSA hda-codec - Fix NULL dereference in generic hda code Chris Wright
2007-02-03  2:35 ` [patch 23/59] SELinux: fix an oops with NetLabel and non-MLS SELinux policy Chris Wright
2007-02-03  2:35 ` [patch 24/59] IB/iser: return error code when PDUs may not be sent Chris Wright
2007-02-03  2:35 ` [patch 25/59] Fix UML on non-standard VM split hosts Chris Wright
2007-02-04  1:06   ` Randy Dunlap
2007-02-04  3:11     ` Jeff Dike
2007-02-04  4:19       ` Randy Dunlap
2007-02-03  2:35 ` [patch 26/59] ACPI: fix cpufreq regression Chris Wright
2007-02-03  2:35 ` [patch 27/59] x86: Work around gcc 4.2 over aggressive optimizer Chris Wright
2007-02-03  2:35 ` [patch 28/59] NETFILTER: Fix iptables ABI breakage on (at least) CRIS Chris Wright
2007-02-03  2:35 ` [patch 29/59] elevator: move clearing of unplug flag earlier Chris Wright
2007-02-03  2:35 ` [patch 30/59] Revert "[PATCH] Fix up mmap_kmem" Chris Wright
2007-02-03  2:35 ` [patch 31/59] remove __devinit markings from rtc_sysfs_add_device() Chris Wright
2007-02-03  2:35 ` [patch 32/59] SPARC64: Set g4/g5 properly in sun4v dtlb-prot handling Chris Wright
2007-02-03  2:35 ` [patch 33/59] sis190: failure to set the MAC address from EEPROM Chris Wright
2007-02-03  2:35 ` [patch 34/59] knfsd: fix setting of ACL server versions Chris Wright
2007-02-03  2:35 ` [patch 35/59] knfsd: fix an NFSD bug with full sized, non-page-aligned reads Chris Wright
2007-02-03  2:35 ` [patch 36/59] knfsd: fix type mismatch with filldir_t used by nfsd Chris Wright
2007-02-03  2:35 ` [patch 37/59] knfsd: fix up some bit-rot in exp_export Chris Wright
2007-02-03  2:35 ` [patch 38/59] md: assorted md and raid1 one-liners Chris Wright
2007-02-03  2:35 ` [patch 39/59] md: make repair actually work for raid1 Chris Wright
2007-02-03  2:35 ` [patch 40/59] md: fix a few problems with the interface (sysfs and ioctl) to md Chris Wright
2007-02-03  2:35 ` [patch 41/59] md: fix potential memalloc deadlock in md Chris Wright
2007-02-03  2:35 ` [patch 42/59] libata: use kmap_atomic(KM_IRQ0) in SCSI simulator Chris Wright
2007-02-03  2:35 ` [patch 43/59] Dont allow the stack to grow into hugetlb reserved regions Chris Wright
2007-02-03  2:35 ` [patch 44/59] uml: fix signal frame alignment Chris Wright
2007-02-03  2:35 ` [patch 45/59] bonding: ARP monitoring broken on x86_64 Chris Wright
2007-02-03  2:35 ` [patch 46/59] jmicron: 40/80pin primary detection Chris Wright
2007-02-03  2:35 ` [patch 47/59] DECNET: Handle a failure in neigh_parms_alloc (take 2) Chris Wright
2007-02-03  2:35 ` [patch 48/59] SPARC32: Fix over-optimization by GCC near ip_fast_csum Chris Wright
2007-02-03  2:35 ` [patch 49/59] IPV4: Fix the fib trie iterator to work with a single entry routing tables Chris Wright
2007-02-03  2:35 ` [patch 50/59] IPV4: Fix single-entry /proc/net/fib_trie output Chris Wright
2007-02-03  2:35 ` [patch 51/59] AF_PACKET: Fix BPF handling Chris Wright
2007-02-03  2:35 ` [patch 52/59] AF_PACKET: Check device down state before hard header callbacks Chris Wright
2007-02-03  2:35 ` [patch 53/59] TCP: rare bad TCP checksum with 2.6.19 Chris Wright
2007-02-03  2:35 ` [patch 54/59] TCP: Fix sorting of SACK blocks Chris Wright
2007-02-03  2:35 ` [patch 55/59] TCP: skb is unexpectedly freed Chris Wright
2007-02-03  2:36 ` [patch 56/59] NETFILTER: xt_connbytes: fix division by zero Chris Wright
2007-02-03  2:36 ` [patch 57/59] SUNRPC: Give cloned RPC clients their own rpc_pipefs directory Chris Wright
2007-02-03  2:36 ` [patch 58/59] move_task_off_dead_cpu() should be called with disabled ints Chris Wright
2007-02-03  2:36 ` [patch 59/59] sched: fix cond_resched_softirq() offset Chris Wright
2007-02-03  2:59 ` [stable] [patch 00/59] -stable review Chris Wright
2007-02-04  6:08   ` Randy Dunlap
2007-02-04 13:36     ` Dave Jones
2007-02-04 17:30       ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070203023835.125598000@sous-sol.org \
    --to=chrisw@sous-sol.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jmforbes@linuxtx.org \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 07/59] NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).