vti6: fix input path
Since commit1625f45299
, vti6 is broken, all input packets are dropped (LINUX_MIB_XFRMINNOSTATES is incremented). XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in xfrm6_rcv_spi(). A new function xfrm6_rcv_tnl() that enables to pass a value to xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function is used in several handlers). CC: Alexey Kodanev <alexey.kodanev@oracle.com> Fixes:1625f45299
("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
b588479358
commit
63c43787d3
@ -1540,8 +1540,10 @@ int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
|
||||
void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
|
||||
int xfrm6_extract_header(struct sk_buff *skb);
|
||||
int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
|
||||
int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
|
||||
int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
|
||||
struct ip6_tnl *t);
|
||||
int xfrm6_transport_finish(struct sk_buff *skb, int async);
|
||||
int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
|
||||
int xfrm6_rcv(struct sk_buff *skb);
|
||||
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
|
||||
xfrm_address_t *saddr, u8 proto);
|
||||
|
@ -321,11 +321,9 @@ static int vti6_rcv(struct sk_buff *skb)
|
||||
goto discard;
|
||||
}
|
||||
|
||||
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
|
||||
|
||||
rcu_read_unlock();
|
||||
|
||||
return xfrm6_rcv(skb);
|
||||
return xfrm6_rcv_tnl(skb, t);
|
||||
}
|
||||
rcu_read_unlock();
|
||||
return -EINVAL;
|
||||
|
@ -21,9 +21,10 @@ int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb)
|
||||
return xfrm6_extract_header(skb);
|
||||
}
|
||||
|
||||
int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
|
||||
int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
|
||||
struct ip6_tnl *t)
|
||||
{
|
||||
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
|
||||
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
|
||||
XFRM_SPI_SKB_CB(skb)->family = AF_INET6;
|
||||
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
|
||||
return xfrm_input(skb, nexthdr, spi, 0);
|
||||
@ -49,13 +50,18 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
|
||||
return -1;
|
||||
}
|
||||
|
||||
int xfrm6_rcv(struct sk_buff *skb)
|
||||
int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t)
|
||||
{
|
||||
return xfrm6_rcv_spi(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
|
||||
0);
|
||||
0, t);
|
||||
}
|
||||
EXPORT_SYMBOL(xfrm6_rcv_tnl);
|
||||
|
||||
int xfrm6_rcv(struct sk_buff *skb)
|
||||
{
|
||||
return xfrm6_rcv_tnl(skb, NULL);
|
||||
}
|
||||
EXPORT_SYMBOL(xfrm6_rcv);
|
||||
|
||||
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
|
||||
xfrm_address_t *saddr, u8 proto)
|
||||
{
|
||||
|
@ -236,7 +236,7 @@ static int xfrm6_tunnel_rcv(struct sk_buff *skb)
|
||||
__be32 spi;
|
||||
|
||||
spi = xfrm6_tunnel_spi_lookup(net, (const xfrm_address_t *)&iph->saddr);
|
||||
return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi);
|
||||
return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi, NULL);
|
||||
}
|
||||
|
||||
static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
||||
|
Loading…
Reference in New Issue
Block a user