Commit 58652e24 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'ipv6-fix-possible-uaf-in-output-paths' 

Eric Dumazet says:

====================
ipv6: fix possible UAF in output paths

First patch fixes an issue spotted by syzbot, and the two
other patches fix error paths after skb_expand_head()
adoption.
====================

Link: https://patch.msgid.link/20240820160859.3786976-1-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 007d4271 2d5ff7e3

net/ipv6/ip6_output.c

+10 −0
Original line number Diff line number Diff line
@@ -70,11 +70,15 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * 


	/* Be paranoid, rather than too clever. */

	if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {

		/* Make sure idev stays alive */

		rcu_read_lock();

		skb = skb_expand_head(skb, hh_len);

		if (!skb) {

			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);

			rcu_read_unlock();

			return -ENOMEM;

		}

		rcu_read_unlock();

	}



	hdr = ipv6_hdr(skb);
@@ -283,11 +287,15 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, 
		head_room += opt->opt_nflen + opt->opt_flen;



	if (unlikely(head_room > skb_headroom(skb))) {

		/* Make sure idev stays alive */

		rcu_read_lock();

		skb = skb_expand_head(skb, head_room);

		if (!skb) {

			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);

			rcu_read_unlock();

			return -ENOBUFS;

		}

		rcu_read_unlock();

	}



	if (opt) {
@@ -1956,6 +1964,7 @@ int ip6_send_skb(struct sk_buff *skb) 
	struct rt6_info *rt = dst_rt6_info(skb_dst(skb));

	int err;



	rcu_read_lock();

	err = ip6_local_out(net, skb->sk, skb);

	if (err) {

		if (err > 0)
@@ -1965,6 +1974,7 @@ int ip6_send_skb(struct sk_buff *skb) 
				      IPSTATS_MIB_OUTDISCARDS);

	}



	rcu_read_unlock();

	return err;

}