diff options
Diffstat (limited to 'target/linux/generic/patches-4.1/080-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch')
| -rw-r--r-- | target/linux/generic/patches-4.1/080-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/target/linux/generic/patches-4.1/080-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch b/target/linux/generic/patches-4.1/080-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch deleted file mode 100644 index 629731c2c2..0000000000 --- a/target/linux/generic/patches-4.1/080-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Florian Westphal <fw@strlen.de> -Date: Thu, 17 Sep 2015 11:24:48 +0100 -Subject: [PATCH] ipv6: ip6_fragment: fix headroom tests and skb leak - -David Woodhouse reports skb_under_panic when we try to push ethernet -header to fragmented ipv6 skbs: - - skbuff: skb_under_panic: text:c1277f1e len:1294 put:14 head:dec98000 - data:dec97ffc tail:0xdec9850a end:0xdec98f40 dev:br-lan -[..] -ip6_finish_output2+0x196/0x4da - -David further debugged this: - [..] offending fragments were arriving here with skb_headroom(skb)==10. - Which is reasonable, being the Solos ADSL card's header of 8 bytes - followed by 2 bytes of PPP frame type. - -The problem is that if netfilter ipv6 defragmentation is used, skb_cow() -in ip6_forward will only see reassembled skb. - -Therefore, headroom is overestimated by 8 bytes (we pulled fragment -header) and we don't check the skbs in the frag_list either. - -We can't do these checks in netfilter defrag since outdev isn't known yet. - -Furthermore, existing tests in ip6_fragment did not consider the fragment -or ipv6 header size when checking headroom of the fraglist skbs. - -While at it, also fix a skb leak on memory allocation -- ip6_fragment -must consume the skb. - -I tested this e1000 driver hacked to not allocate additional headroom -(we end up in slowpath, since LL_RESERVED_SPACE is 16). - -If 2 bytes of headroom are allocated, fastpath is taken (14 byte -ethernet header was pulled, so 16 byte headroom available in all -fragments). - -Reported-by: David Woodhouse <dwmw2@infradead.org> -Diagnosed-by: David Woodhouse <dwmw2@infradead.org> -Signed-off-by: Florian Westphal <fw@strlen.de> -Closes 20532 ---- - ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -587,20 +587,22 @@ int ip6_fragment(struct sock *sk, struct - } - mtu -= hlen + sizeof(struct frag_hdr); - -+ hroom = LL_RESERVED_SPACE(rt->dst.dev); - if (skb_has_frag_list(skb)) { - int first_len = skb_pagelen(skb); - struct sk_buff *frag2; - - if (first_len - hlen > mtu || - ((first_len - hlen) & 7) || -- skb_cloned(skb)) -+ skb_cloned(skb) || -+ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) - goto slow_path; - - skb_walk_frags(skb, frag) { - /* Correct geometry. */ - if (frag->len > mtu || - ((frag->len & 7) && frag->next) || -- skb_headroom(frag) < hlen) -+ skb_headroom(frag) < (hlen + hroom + sizeof(struct frag_hdr))) - goto slow_path_clean; - - /* Partially cloned skb? */ -@@ -617,8 +619,6 @@ int ip6_fragment(struct sock *sk, struct - - err = 0; - offset = 0; -- frag = skb_shinfo(skb)->frag_list; -- skb_frag_list_init(skb); - /* BUILD HEADER */ - - *prevhdr = NEXTHDR_FRAGMENT; -@@ -626,8 +626,11 @@ int ip6_fragment(struct sock *sk, struct - if (!tmp_hdr) { - IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), - IPSTATS_MIB_FRAGFAILS); -- return -ENOMEM; -+ err = -ENOMEM; -+ goto fail; - } -+ frag = skb_shinfo(skb)->frag_list; -+ skb_frag_list_init(skb); - - __skb_pull(skb, hlen); - fh = (struct frag_hdr *)__skb_push(skb, sizeof(struct frag_hdr)); -@@ -725,7 +728,6 @@ slow_path: - */ - - *prevhdr = NEXTHDR_FRAGMENT; -- hroom = LL_RESERVED_SPACE(rt->dst.dev); - troom = rt->dst.dev->needed_tailroom; - - /* |