mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet 97599dc792 net: drop dst before queueing fragments 
Commit 4a94445c9a (net: Use ip_route_input_noref() in input path)
added a bug in IP defragmentation handling, as non refcounted
dst could escape an RCU protected section.

Commit 64f3b9e203 (net: ip_expire() must revalidate route) fixed
the case of timeouts, but not the general problem.

Tom Parkin noticed crashes in UDP stack and provided a patch,
but further analysis permitted us to pinpoint the root cause.

Before queueing a packet into a frag list, we must drop its dst,
as this dst has limited lifetime (RCU protected)

When/if a packet is finally reassembled, we use the dst of the very
last skb, still protected by RCU and valid, as the dst of the
reassembled packet.

Use same logic in IPv6, as there is no need to hold dst references.

Reported-by: Tom Parkin <tparkin@katalix.com>
Tested-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2013-04-17 01:15:29 -04:00
..
9p Revert parts of "hlist: drop the node parameter from iterators" 2013-03-08 15:05:34 -08:00
802 net/802/mrp: fix possible race condition when calling mrp_pdu_queue() 2013-04-12 15:10:48 -04:00
8021q 8021q: fix a potential use-after-free 2013-03-24 17:27:28 -04:00
appletalk hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
atm atm: update msg_namelen in vcc_recvmsg() 2013-04-07 16:28:00 -04:00
ax25 ax25: fix info leak via msg_name in ax25_recvmsg() 2013-04-07 16:28:00 -04:00
batman-adv batman-adv: verify tt len does not exceed packet len 2013-03-11 22:59:47 +01:00
bluetooth Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() 2013-04-07 16:28:01 -04:00
bridge bridge: make user modified path cost sticky 2013-04-15 14:03:44 -04:00
caif caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() 2013-04-07 16:28:01 -04:00
can can: gw: use kmem_cache_free() instead of kfree() 2013-04-09 09:58:44 +02:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-03-12 09:22:42 -07:00
core rtnetlink: Call nlmsg_parse() with correct header length 2013-04-08 17:12:26 -04:00
dcb dcbnl: fix various netlink info leaks 2013-03-10 05:19:26 -04:00
dccp Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
decnet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
dns_resolver Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
dsa dsa: make dsa_switch_setup check for valid port names 2013-01-21 15:40:12 -05:00
ethernet net: split eth_mac_addr for better error handling 2013-01-21 14:07:44 -05:00
ieee802154 6lowpan: Fix endianness issue in is_addr_link_local(). 2013-03-10 16:49:35 -04:00
ipv4 net: drop dst before queueing fragments 2013-04-17 01:15:29 -04:00
ipv6 net: drop dst before queueing fragments 2013-04-17 01:15:29 -04:00
ipx hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
irda irda: Fix missing msg_namelen update in irda_recvmsg_dgram() 2013-04-07 16:28:01 -04:00
iucv af_iucv: fix recvmsg by replacing skb_pull() function 2013-04-08 17:16:57 -04:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2013-03-27 14:07:04 -04:00
l2tp l2tp: fix info leak in l2tp_ip6_recvmsg() 2013-04-07 16:28:01 -04:00
lapb net/lapb: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:01 -08:00
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-04-07 16:28:01 -04:00
mac80211 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2013-04-01 15:09:28 -04:00
mac802154 Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
netfilter netfilter: nf_nat: fix race when unloading protocol modules 2013-04-12 11:46:31 +02:00
netlabel netlabel: fix build problems when CONFIG_IPV6=n 2013-03-08 11:33:51 -05:00
netlink genetlink: trigger BUG_ON if a group name is too long 2013-03-20 12:05:51 -04:00
netrom netrom: fix invalid use of sizeof in nr_recvmsg() 2013-04-08 22:49:23 -04:00
nfc NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() 2013-04-07 16:28:02 -04:00
openvswitch Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2013-03-15 09:00:39 -04:00
packet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
phonet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
rds net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
rfkill rfkill: don't use [delayed_]work_pending() 2012-12-28 13:40:16 -08:00
rose rose: fix info leak via msg_name in rose_recvmsg() 2013-04-07 16:28:02 -04:00
rxrpc Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
sched cbq: incorrect processing of high limits 2013-04-02 14:29:20 -04:00
sctp sctp: don't break the loop while meeting the active_path so as to find the matched transport 2013-03-13 10:09:55 -04:00
sunrpc NFS client bugfixes for Linux 3.9 2013-04-10 09:00:51 -07:00
tipc tipc: fix info leaks via msg_name in recv_msg/recv_stream 2013-04-07 16:28:02 -04:00
unix af_unix: If we don't care about credentials coallesce all messages 2013-04-05 00:49:13 -04:00
vmw_vsock VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg() 2013-04-07 16:28:02 -04:00
wimax
wireless Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2013-04-03 14:19:48 -04:00
x25 hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2013-03-27 14:07:04 -04:00
Kconfig Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
Makefile VSOCK: Introduce VM Sockets 2013-02-10 19:41:08 -05:00
compat.c
nonet.c
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
sysctl_net.c user_ns: get rid of duplicate code in net_ctl_permissions 2012-11-18 20:32:45 -05:00