lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bridge: fix a possible use after free

Browse Source 
br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb
head can be reallocated.

Cache icmp6_type field instead of dereferencing twice the struct
icmp6hdr pointer.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet
2011-08-23 19:57:05 +00:00
committed by David S. Miller
parent 4b275d7efa
commit 22df13319d
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
net/bridge/br_multicast.c
View File

@@ -1456,7 +1456,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
{ {
struct sk_buff *skb2; struct sk_buff *skb2;
const struct ipv6hdr *ip6h; const struct ipv6hdr *ip6h;
struct icmp6hdr *icmp6h; u8 icmp6_type;
u8 nexthdr; u8 nexthdr;
unsigned len; unsigned len;
int offset; int offset;
@@ -1502,9 +1502,9 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
__skb_pull(skb2, offset); __skb_pull(skb2, offset);
skb_reset_transport_header(skb2); skb_reset_transport_header(skb2);
icmp6h = icmp6_hdr(skb2); icmp6_type = icmp6_hdr(skb2)->icmp6_type;
switch (icmp6h->icmp6_type) { switch (icmp6_type) {
case ICMPV6_MGM_QUERY: case ICMPV6_MGM_QUERY:
case ICMPV6_MGM_REPORT: case ICMPV6_MGM_REPORT:
case ICMPV6_MGM_REDUCTION: case ICMPV6_MGM_REDUCTION:
@@ -1544,7 +1544,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
BR_INPUT_SKB_CB(skb)->igmp = 1; BR_INPUT_SKB_CB(skb)->igmp = 1;
switch (icmp6h->icmp6_type) { switch (icmp6_type) {
case ICMPV6_MGM_REPORT: case ICMPV6_MGM_REPORT:
{ {
struct mld_msg *mld; struct mld_msg *mld;