system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-16 09:05:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Pavel Tikhomirov 9874808878 netfilter: bridge: replace physindev with physinif in nf_bridge_info 
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.

As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:

arp_process
  neigh_update
    skb = __skb_dequeue(&neigh->arp_queue)
      neigh_resolve_output(..., skb)
        ...
          br_nf_dev_xmit
            br_nf_pre_routing_finish_bridge_slow
              skb->dev = nf_bridge->physindev
              br_handle_frame_finish

Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.

Fixes: c4e70a87d9 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-01-17 12:02:49 +01:00
..
ila
netfilter netfilter: bridge: replace physindev with physinif in nf_bridge_info 2024-01-17 12:02:49 +01:00
addrconf.c Revert "net: ipv6/addrconf: clamp preferred_lft to the minimum required" 2024-01-02 14:58:46 -08:00
addrconf_core.c
addrlabel.c
af_inet6.c ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
ah6.c net: ipv6: stop checking crypto_ahash_alignmask 2023-10-27 18:04:29 +08:00
anycast.c
calipso.c
datagram.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
esp6.c net: ipv6: fix typo in comments 2023-10-25 10:38:07 +01:00
esp6_offload.c xfrm: Support GRO for IPv6 ESP in UDP encapsulation 2023-10-06 07:31:14 +02:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c net: gso: add HBH extension header offload support 2024-01-05 08:11:49 -08:00
fib6_notifier.c
fib6_rules.c fib: remove unnecessary input parameters in fib_default_rule_add 2024-01-03 16:42:48 -08:00
fou6.c
icmp.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
inet6_connection_sock.c net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
inet6_hashtables.c
ioam6.c
ioam6_iptunnel.c netlink: make range pointers in policies const 2023-10-26 16:24:09 -07:00
ip6_checksum.c
ip6_fib.c net/ipv6: Revert remove expired routes with a separated list of routes 2023-12-21 09:01:30 +01:00
ip6_flowlabel.c ipv6: move np->repflow to atomic flags 2023-09-15 10:33:48 +01:00
ip6_gre.c
ip6_icmp.c
ip6_input.c ipv6: ignore dst hint for multipath routes 2023-09-01 08:11:51 +01:00
ip6_offload.c net: gro: parse ipv6 ext headers without frag0 invalidation 2024-01-05 08:11:49 -08:00
ip6_offload.h
ip6_output.c ipv6: avoid atomic fragment on GSO packets 2023-10-25 18:04:29 -07:00
ip6_tunnel.c ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() 2024-01-07 15:27:29 +00:00
ip6_udp_tunnel.c ipv6: add new arguments to udp_tunnel6_dst_lookup() 2023-10-23 08:48:57 +01:00
ip6_vti.c xfrm: pass struct net to xfrm_decode_session wrappers 2023-10-06 08:31:53 +02:00
ip6mr.c fib: remove unnecessary input parameters in fib_default_rule_add 2024-01-03 16:42:48 -08:00
ipcomp6.c
ipv6_sockglue.c net: Namespace-ify sysctl_optmem_max 2023-12-15 11:01:27 +00:00
Kconfig ipv6: fix indentation of a config attribute 2023-08-16 10:03:08 +01:00
Makefile net/tcp: Introduce TCP_AO setsockopt()s 2023-10-27 10:35:44 +01:00
mcast.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2023-10-20 12:01:00 +01:00
mcast_snoop.c
mip6.c
ndisc.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2023-10-20 12:01:00 +01:00
netfilter.c xfrm: pass struct net to xfrm_decode_session wrappers 2023-10-06 08:31:53 +02:00
output_core.c
ping.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
proc.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2023-10-20 12:01:00 +01:00
protocol.c
raw.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
reassembly.c
route.c net/ipv6: Revert remove expired routes with a separated list of routes 2023-12-21 09:01:30 +01:00
rpl.c
rpl_iptunnel.c
seg6.c
seg6_hmac.c
seg6_iptunnel.c
seg6_local.c seg6: add NEXT-C-SID support for SRv6 End.X behavior 2023-08-15 18:51:47 -07:00
sit.c
syncookies.c tcp: Factorise cookie-dependent fields initialisation in cookie_v[46]_check() 2023-11-29 20:16:38 -08:00
sysctl_net_ipv6.c
tcp_ao.c net/tcp: Wire up l3index to TCP-AO 2023-10-27 10:35:46 +01:00
tcp_ipv6.c tcp: Revert no longer abort SYN_SENT when receiving some ICMP 2024-01-08 19:08:51 -08:00
tcpv6_offload.c
tunnel6.c
udp.c udp: annotate data-races around up->pending 2024-01-13 15:46:20 +00:00
udp_impl.h
udp_offload.c
udplite.c udplite: remove UDPLITE_BIT 2023-09-14 16:16:36 +02:00
xfrm6_input.c xfrm Fix use after free in __xfrm6_udp_encap_rcv. 2023-10-23 07:10:39 +02:00
xfrm6_output.c ipv6: drop feature RTAX_FEATURE_ALLFRAG 2023-10-25 18:04:29 -07:00
xfrm6_policy.c ipsec-2023-10-17 2023-10-17 18:21:13 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c