Commit 21b995a9 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()

Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull(),
we must reload any pointer that was related to skb->head
(or skb->data), or risk use after free.

Fixes: c12b395a ("gre: Support GRE over IPv6")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d0fa28f0
...@@ -582,6 +582,9 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev) ...@@ -582,6 +582,9 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev)
return -1; return -1;
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
/* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
ipv6h = ipv6_hdr(skb);
if (offset > 0) { if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel; struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset]; tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
......
...@@ -1303,6 +1303,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -1303,6 +1303,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
fl6.flowlabel = key->label; fl6.flowlabel = key->label;
} else { } else {
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
/* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
ipv6h = ipv6_hdr(skb);
if (offset > 0) { if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel; struct ipv6_tlv_tnl_enc_lim *tel;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment