[patch 21/47] ipsec: Use the correct ip_local_out function

From: Greg KH
Date: Fri Jun 13 2008 - 20:19:25 EST

Next message: Greg KH: "[patch 22/47] netlink: Fix nla_parse_nested_compat() to callnla_parse() directly"
Previous message: Greg KH: "[patch 20/47] net_sched: cls_api: fix return value fornon-existant classifiers"
In reply to: Greg KH: "[patch 20/47] net_sched: cls_api: fix return value fornon-existant classifiers"
Next in thread: Greg KH: "[patch 22/47] netlink: Fix nla_parse_nested_compat() to callnla_parse() directly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

[ upstream commit: 1ac06e0306d0192a7a4d9ea1c9e06d355ce7e7d3 ]

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly. Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash. Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
---
net/ipv4/route.c | 2 +-
net/ipv6/route.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -162,7 +162,7 @@ static struct dst_ops ipv4_dst_ops = {
.negative_advice = ipv4_negative_advice,
.link_failure = ipv4_link_failure,
.update_pmtu = ip_rt_update_pmtu,
- .local_out = ip_local_out,
+ .local_out = __ip_local_out,
.entry_size = sizeof(struct rtable),
.entries = ATOMIC_INIT(0),
};
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -105,7 +105,7 @@ static struct dst_ops ip6_dst_ops = {
.negative_advice = ip6_negative_advice,
.link_failure = ip6_link_failure,
.update_pmtu = ip6_rt_update_pmtu,
- .local_out = ip6_local_out,
+ .local_out = __ip6_local_out,
.entry_size = sizeof(struct rt6_info),
.entries = ATOMIC_INIT(0),
};

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 22/47] netlink: Fix nla_parse_nested_compat() to callnla_parse() directly"
Previous message: Greg KH: "[patch 20/47] net_sched: cls_api: fix return value fornon-existant classifiers"
In reply to: Greg KH: "[patch 20/47] net_sched: cls_api: fix return value fornon-existant classifiers"
Next in thread: Greg KH: "[patch 22/47] netlink: Fix nla_parse_nested_compat() to callnla_parse() directly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]