Merge branch 'fragment-stack-oob-read' (0ab1fa1c) · Commits · EulixOS / Software / Kernel

net/openvswitch/actions.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -827,17 +827,17 @@ static void ovs_fragment(struct net net, struct vport vport,
		}

		if (key->eth.type == htons(ETH_P_IP)) {
		struct dst_entry ovs_dst;
		struct rtable ovs_rt = { 0 };
		unsigned long orig_dst;

		prepare_frag(vport, skb, orig_network_offset,
		ovs_key_mac_proto(key));
		dst_init(&ovs_dst, &ovs_dst_ops, NULL, 1,
		dst_init(&ovs_rt.dst, &ovs_dst_ops, NULL, 1,
		DST_OBSOLETE_NONE, DST_NOCOUNT);
		ovs_dst.dev = vport->dev;
		ovs_rt.dst.dev = vport->dev;

		orig_dst = skb->_skb_refdst;
		skb_dst_set_noref(skb, &ovs_dst);
		skb_dst_set_noref(skb, &ovs_rt.dst);
		IPCB(skb)->frag_max_size = mru;

		ip_do_fragment(net, skb->sk, skb, ovs_vport_output);

+4 −4

Original line number	Diff line number	Diff line
		@@ -90,16 +90,16 @@ static int sch_fragment(struct net net, struct sk_buff skb,
		}

		if (skb_protocol(skb, true) == htons(ETH_P_IP)) {
		struct dst_entry sch_frag_dst;
		struct rtable sch_frag_rt = { 0 };
		unsigned long orig_dst;

		sch_frag_prepare_frag(skb, xmit);
		dst_init(&sch_frag_dst, &sch_frag_dst_ops, NULL, 1,
		dst_init(&sch_frag_rt.dst, &sch_frag_dst_ops, NULL, 1,
		DST_OBSOLETE_NONE, DST_NOCOUNT);
		sch_frag_dst.dev = skb->dev;
		sch_frag_rt.dst.dev = skb->dev;

		orig_dst = skb->_skb_refdst;
		skb_dst_set_noref(skb, &sch_frag_dst);
		skb_dst_set_noref(skb, &sch_frag_rt.dst);
		IPCB(skb)->frag_max_size = mru;

		ret = ip_do_fragment(net, skb->sk, skb, sch_frag_xmit);