[PATCH openEuler-1.0-LTS] ipvlan: Fix out-of-bounds caused by unclear skb->cb in I2e mode
From: zhangqiumiao <zhangqiumiao1@huawei.com> openEuler inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7GVI1 CVE: CVE-2023-3090 Reference: https://gitee.com/openeuler/kernel/commit/f49546d265363c51a232f28f2aede5b424... -------------------------------- We should clear skb->cb before ip_local_out or ip6_local_out in l2e mode too. Fixes: 53f51b3cd1e4 ("ipvlan: Introduce l2e mode") Co-developed-by: "t.feng" <fengtao40@huawei.com> Signed-off-by: zhangqiumiao <zhangqiumiao1@huawei.com> Signed-off-by: dongchenchen <dongchenchen2@huawei.com> --- drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index 0a82752b28b5..57803d8196ed 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -578,6 +578,9 @@ static int ipvlan_process_v4_forward(struct sk_buff *skb) goto err; } skb_dst_set(skb, &rt->dst); + + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + err = ip_local_out(net, skb->sk, skb); if (unlikely(net_xmit_eval(err))) dev->stats.tx_errors++; @@ -615,6 +618,9 @@ static int ipvlan_process_v6_forward(struct sk_buff *skb) goto err; } skb_dst_set(skb, dst); + + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + err = ip6_local_out(net, skb->sk, skb); if (unlikely(net_xmit_eval(err))) dev->stats.tx_errors++; -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/17017 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/Z3L... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/17017 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/Z3L...
participants (2)
-
Dong Chenchen -
patchwork bot