Re: Broken commit: [NETFILTER]: ipt_REJECT: remove largelyduplicate route_reverse function

From: David Miller
Date: Tue Nov 28 2006 - 23:26:16 EST


From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Wed, 29 Nov 2006 03:28:25 +0100

> [NETFILTER]: ipt_REJECT: fix memory corruption
>
> On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder()
> reallocates the skb, leading to memory corruption when using the stale
> tcph pointer to update the checksum.
>
> Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>

Applied, thanks Patrick.

And based upon your discovery wrt. MAX_HEADER I'm also
applying the following.

commit 93e3a20d6c67a09b867431e7d5b3e7bc97154fab
Author: David S. Miller <davem@xxxxxxxxxxxxxxxxxxxx>
Date: Tue Nov 28 20:24:10 2006 -0800

[NET]: Fix MAX_HEADER setting.

MAX_HEADER is either set to LL_MAX_HEADER or LL_MAX_HEADER + 48, and
this is controlled by a set of CONFIG_* ifdef tests.

It is trying to use LL_MAX_HEADER + 48 when any of the tunnels are
enabled which set hard_header_len like this:

dev->hard_header_len = LL_MAX_HEADER + sizeof(struct xxx);

The correct set of tunnel drivers which do this are:

ipip
ip_gre
ip6_tunnel
sit

so make the ifdef test match.

Noticed by Patrick McHardy.

Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 9264139..95e86ac 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -94,7 +94,9 @@ #endif
#endif

#if !defined(CONFIG_NET_IPIP) && \
- !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
+ !defined(CONFIG_NET_IPGRE) && \
+ !defined(CONFIG_IPV6_SIT) && \
+ !defined(CONFIG_IPV6_TUNNEL)
#define MAX_HEADER LL_MAX_HEADER
#else
#define MAX_HEADER (LL_MAX_HEADER + 48)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/