• hannes@stressinduktion.org's avatar
    ipv6: protect skb->sk accesses from recursive dereference inside the stack · f60e5990
    hannes@stressinduktion.org authored
    We should not consult skb->sk for output decisions in xmit recursion
    levels > 0 in the stack. Otherwise local socket settings could influence
    the result of e.g. tunnel encapsulation process.
    
    ipv6 does not conform with this in three places:
    
    1) ip6_fragment: we do consult ipv6_npinfo for frag_size
    
    2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
       loop the packet back to the local socket
    
    3) ip6_skb_dst_mtu could query the settings from the user socket and
       force a wrong MTU
    
    Furthermore:
    In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
    PF_PACKET socket ontop of an IPv6-backed vxlan device.
    
    Reuse xmit_recursion as we are currently only interested in protecting
    tunnel devices.
    
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    f60e5990
sock.c 73.1 KB