Revision - 34b2cef - ipv4: keep skb->dst around in presence of IP options

Revision 34b2cef20f19c87999fff3da4071e66937db9644 authored by Eric Dumazet on 04 February 2017, 19:16:52 UTC, committed by David S. Miller on 05 February 2017, 00:42:28 UTC

ipv4: keep skb->dst around in presence of IP options

Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
is accessed.

ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
are present.

We could refine the test to the presence of ts_needtime or srr,
but IP options are not often used, so let's be conservative.

Thanks to syzkaller team for finding this bug.

Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 5fa8bbd

Files
Changes

Permalinks

File	Mode	Size
9p
adfs
affs
afs
autofs4
befs
bfs
btrfs
cachefiles
ceph
cifs
coda
configfs
cramfs
crypto
debugfs
devpts
dlm
ecryptfs
efivarfs
efs
exofs
exportfs
ext2
ext4
f2fs
fat
freevxfs
fscache
fuse
gfs2
hfs
hfsplus
hostfs
hpfs
hugetlbfs
isofs
jbd2
jffs2
jfs
kernfs
lockd
minix
ncpfs
nfs
nfs_common
nfsd
nilfs2
nls
notify
ntfs
ocfs2
omfs
openpromfs
orangefs
overlayfs
proc
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs
sysv
tracefs
ubifs
udf
ufs
xfs
Kconfig	-rw-r--r--	7.2 KB
Kconfig.binfmt	-rw-r--r--	7.2 KB
Makefile	-rw-r--r--	4.2 KB
aio.c	-rw-r--r--	45.9 KB
anon_inodes.c	-rw-r--r--	4.9 KB
attr.c	-rw-r--r--	9.1 KB
bad_inode.c	-rw-r--r--	5.3 KB
binfmt_aout.c	-rw-r--r--	10.7 KB
binfmt_elf.c	-rw-r--r--	60.9 KB
binfmt_elf_fdpic.c	-rw-r--r--	46.9 KB
binfmt_em86.c	-rw-r--r--	2.8 KB
binfmt_flat.c	-rw-r--r--	27.8 KB
binfmt_misc.c	-rw-r--r--	18.3 KB
binfmt_script.c	-rw-r--r--	3.0 KB
block_dev.c	-rw-r--r--	55.3 KB
buffer.c	-rw-r--r--	91.5 KB
char_dev.c	-rw-r--r--	13.5 KB
compat.c	-rw-r--r--	35.3 KB
compat_binfmt_elf.c	-rw-r--r--	3.7 KB
compat_ioctl.c	-rw-r--r--	45.8 KB
coredump.c	-rw-r--r--	21.2 KB
dax.c	-rw-r--r--	39.6 KB
dcache.c	-rw-r--r--	93.8 KB
dcookies.c	-rw-r--r--	6.9 KB
direct-io.c	-rw-r--r--	38.3 KB
drop_caches.c	-rw-r--r--	1.6 KB
eventfd.c	-rw-r--r--	12.9 KB
eventpoll.c	-rw-r--r--	60.1 KB
exec.c	-rw-r--r--	44.4 KB
fcntl.c	-rw-r--r--	16.7 KB
fhandle.c	-rw-r--r--	6.5 KB
file.c	-rw-r--r--	23.6 KB
file_table.c	-rw-r--r--	8.5 KB
filesystems.c	-rw-r--r--	6.4 KB
fs-writeback.c	-rw-r--r--	70.4 KB
fs_pin.c	-rw-r--r--	2.0 KB
fs_struct.c	-rw-r--r--	3.3 KB
inode.c	-rw-r--r--	55.0 KB
internal.h	-rw-r--r--	4.7 KB
ioctl.c	-rw-r--r--	17.2 KB
iomap.c	-rw-r--r--	22.7 KB
libfs.c	-rw-r--r--	30.4 KB
locks.c	-rw-r--r--	73.3 KB
mbcache.c	-rw-r--r--	11.9 KB
mount.h	-rw-r--r--	3.8 KB
mpage.c	-rw-r--r--	20.5 KB
namei.c	-rw-r--r--	119.6 KB
namespace.c	-rw-r--r--	84.5 KB
no-block.c	-rw-r--r--	688 bytes
nsfs.c	-rw-r--r--	5.1 KB
open.c	-rw-r--r--	27.6 KB
pipe.c	-rw-r--r--	27.3 KB
pnode.c	-rw-r--r--	11.3 KB
pnode.h	-rw-r--r--	1.9 KB
posix_acl.c	-rw-r--r--	21.4 KB
proc_namespace.c	-rw-r--r--	7.8 KB
read_write.c	-rw-r--r--	45.8 KB
readdir.c	-rw-r--r--	7.3 KB
select.c	-rw-r--r--	25.7 KB
seq_file.c	-rw-r--r--	23.1 KB
signalfd.c	-rw-r--r--	9.2 KB
splice.c	-rw-r--r--	39.9 KB
stack.c	-rw-r--r--	2.5 KB
stat.c	-rw-r--r--	11.9 KB
statfs.c	-rw-r--r--	5.3 KB
super.c	-rw-r--r--	37.8 KB
sync.c	-rw-r--r--	9.9 KB
timerfd.c	-rw-r--r--	13.1 KB
userfaultfd.c	-rw-r--r--	36.3 KB
utimes.c	-rw-r--r--	5.6 KB
xattr.c	-rw-r--r--	23.5 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...