ipv6: fix possible use-after-free in ip6_xmit() - xavi/android_kernel_m2note - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Eric Dumazet <edumazet@google.com>	2018-09-14 12:02:31 -0700
committer	Moyster <oysterized@gmail.com>	2019-05-03 19:24:03 +0200
commit	4ef894261582825de09b0c14f2c344c71a81e74c (patch)
tree	175b85acc8c52aa76220421bb2b3a7e4b91502fd /kernel/context_tracking.c
parent	d1b5e22588c61060bf83d19bf886e4b57212630a (diff)

ipv6: fix possible use-after-free in ip6_xmit()

commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 upstream. In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), we need to call skb_set_owner_w() before consuming original skb, otherwise we risk a use-after-free. Bring IPv6 in line with what we do in IPv4 to fix this. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Change-Id: Ib8308a54ddf72ef170dfe51255f2981e58c43760 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Diffstat (limited to 'kernel/context_tracking.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: