Re: [PATCH v4 net] ipv6: Fix dangling pointer when ipv6 fragment
From: David Miller
Date: Thu Apr 04 2019 - 00:43:17 EST
From: hujunwei <hujunwei4@xxxxxxxxxx>
Date: Tue, 2 Apr 2019 19:38:04 +0800
> From: Junwei Hu <hujunwei4@xxxxxxxxxx>
>
> At the beginning of ip6_fragment func, the prevhdr pointer is
> obtained in the ip6_find_1stfragopt func.
> However, all the pointers pointing into skb header may change
> when calling skb_checksum_help func with
> skb->ip_summed = CHECKSUM_PARTIAL condition.
> The prevhdr pointe will be dangling if it is not reloaded after
> calling __skb_linearize func in skb_checksum_help func.
>
> Here, I add a variable, nexthdr_offset, to evaluate the offset,
> which does not changes even after calling __skb_linearize func.
>
> Fixes: 405c92f7a541 ("ipv6: add defensive check for CHECKSUM_PARTIAL skbs in ip_fragment")
> Signed-off-by: Junwei Hu <hujunwei4@xxxxxxxxxx>
> Reported-by: Wenhao Zhang <zhangwenhao8@xxxxxxxxxx>
> Reported-by: syzbot+e8ce541d095e486074fc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx>
> Acked-by: Martin KaFai Lau <kafai@xxxxxx>
> ---
> V3->V4:
> - fix build warning
Applied and queued up for -stable.