Commit e7c243c9 authored by Evgeniy Polyakov's avatar Evgeniy Polyakov Committed by David S. Miller

[VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"

I tried to preserve bridging code as it was before, but logic is quite
strange - I think we should free skb on error, since it is already
unshared and thus will just leak.

Herbert Xu states:

> +	if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
> +		goto out;

If this happens it'll be a double-free on skb since we'll
return NF_DROP which makes the caller free it too.

We could return NF_STOLEN to prevent that but I'm not sure
whether that's correct netfilter semantics.  Patrick, could
you please make a call on this?

Patrick McHardy states:

NF_STOLEN should work fine here.
Signed-off-by: default avatarEvgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7c8347a9
...@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev, ...@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
struct packet_type* ptype, struct net_device *orig_dev) struct packet_type* ptype, struct net_device *orig_dev)
{ {
unsigned char *rawp = NULL; unsigned char *rawp = NULL;
struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data); struct vlan_hdr *vhdr;
unsigned short vid; unsigned short vid;
struct net_device_stats *stats; struct net_device_stats *stats;
unsigned short vlan_TCI; unsigned short vlan_TCI;
__be16 proto; __be16 proto;
if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
return -1;
if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
kfree_skb(skb);
return -1;
}
vhdr = (struct vlan_hdr *)(skb->data);
/* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */ /* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
vlan_TCI = ntohs(vhdr->h_vlan_TCI); vlan_TCI = ntohs(vhdr->h_vlan_TCI);
......
...@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb, ...@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
struct iphdr *iph; struct iphdr *iph;
__u32 len;
struct sk_buff *skb = *pskb; struct sk_buff *skb = *pskb;
__u32 len = nf_bridge_encap_header_len(skb);
if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
return NF_STOLEN;
if (unlikely(!pskb_may_pull(skb, len)))
goto out;
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
IS_PPPOE_IPV6(skb)) { IS_PPPOE_IPV6(skb)) {
...@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb, ...@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
if (!brnf_call_ip6tables) if (!brnf_call_ip6tables)
return NF_ACCEPT; return NF_ACCEPT;
#endif #endif
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
goto out;
nf_bridge_pull_encap_header_rcsum(skb); nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
} }
...@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb, ...@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
!IS_PPPOE_IP(skb)) !IS_PPPOE_IP(skb))
return NF_ACCEPT; return NF_ACCEPT;
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
goto out;
nf_bridge_pull_encap_header_rcsum(skb); nf_bridge_pull_encap_header_rcsum(skb);
if (!pskb_may_pull(skb, sizeof(struct iphdr))) if (!pskb_may_pull(skb, sizeof(struct iphdr)))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment