[PATCH 1/2] ip_tunnel: fix potential issue in ip_tunnel_rcv

From: Haishuang Yan
Date: Wed Jun 07 2017 - 10:16:33 EST

Next message: Haishuang Yan: "[PATCH 2/2] ip6_tunnel: fix potential issue in __ip6_tnl_rcv"
Previous message: Eric W. Biederman: "Re: [PATCH 06/26] rlimit: Remove unnecessary grab of tasklist_lock"
Next in thread: Haishuang Yan: "[PATCH 2/2] ip6_tunnel: fix potential issue in __ip6_tnl_rcv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When ip_tunnel_rcv fails, the tun_dst won't be freed, so move
skb_dst_set to begin and tun_dst would be freed by kfree_skb.

Signed-off-by: Haishuang Yan <yanhaishuang@xxxxxxxxxxxxxxxxxxxx>
---
net/ipv4/ip_tunnel.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index b878ecb..27fc20f 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -386,6 +386,9 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
const struct iphdr *iph = ip_hdr(skb);
int err;

+ if (tun_dst)
+ skb_dst_set(skb, (struct dst_entry *)tun_dst);
+
#ifdef CONFIG_NET_IPGRE_BROADCAST
if (ipv4_is_multicast(iph->daddr)) {
tunnel->dev->stats.multicast++;
@@ -439,9 +442,6 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
skb->dev = tunnel->dev;
}

- if (tun_dst)
- skb_dst_set(skb, (struct dst_entry *)tun_dst);
-
gro_cells_receive(&tunnel->gro_cells, skb);
return 0;

--
1.8.3.1

Next message: Haishuang Yan: "[PATCH 2/2] ip6_tunnel: fix potential issue in __ip6_tnl_rcv"
Previous message: Eric W. Biederman: "Re: [PATCH 06/26] rlimit: Remove unnecessary grab of tasklist_lock"
Next in thread: Haishuang Yan: "[PATCH 2/2] ip6_tunnel: fix potential issue in __ip6_tnl_rcv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]