ip_vti: fix potential slab-use-after-free in decode_session6
stable inclusion from stable-v5.10.192 commit 0b4d69539fdea138af2befe08893850c89248068 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I933RF Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b4d69539fdea138af2befe08893850c89248068 -------------------------------- [ Upstream commit 6018a266 ] When ip_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ip_vti device sends IPv6 packets. As commit f8556919 ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. Fixes: f8556919 ("xfrm6: Fix the nexthdr offset in _decode_session6.") Signed-off-by:Zhengchao Shao <shaozhengchao@huawei.com> Signed-off-by:
Loading
Please sign in to comment