Re: Possible NULL dereference caused by -stable commitef81bb40bf15f350fe865f31fa42f1082772a576

[Eric Dumazet]

Le mercredi 28 septembre 2011 Ã 18:51 +0800, Jason Wang a Ãcrit :
> Hi all:
> 
> A possible NULL dereference were noticed by the stable commit 
> ef81bb40bf15f350fe865f31fa42f1082772a576 (which is a backport of 
> 87c48fa3b4630905f98268dde838ee43626a060c). The case happens when bridge 
> froward a packet from guest to a physical nic, at this time no route is 
> attached to the skb which may lead a NULL dereference in 
> ipv6_select_ident(). -Next version have this check so it is fine. The 
> following patch may be used to avoid this but may also lead the ip 
> identification predicable, and this defect is also exist -next version 
> when no route because we still depends on a global variable to generate 
> the identification.  Any thought on this?

1) Discussion on current kernel :

All we need here is not the route but inet_peer, so that inet_getid()
can be called on it.

If no route is given to ipv6_select_ident(), at least we can try to get
inet_peer, and release it before exiting from ipv6_select_ident()

2) On stable kernel, we already use an array
(ipv6_fragmentation_id[FID_HASH_SZ];) to make less predictables
fragments ids.

So we could get dst addr from the packet to be forwarded instead of the
(possibly NULL) route.



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/