netfilter: nf_reject_ipv4: Fix use-after-free in send_reset

niph is not updated after pskb_expand_head changes the skb head. It still points to the freed data, which is then used to update tot_len and checksum. This could cause use-after-free poison crash. Update niph, if ip_route_me_harder does not fail. This only affects the interaction with REJECT targets and br_netfilter. Signed-off-by: N Tejaswi Tanikella <tejaswit@codeaurora.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_reject_ipv4: Fix use-after-free in send_reset
niph is not updated after pskb_expand_head changes the skb head. It still points to the freed data, which is then used to update tot_len and checksum. This could cause use-after-free poison crash. Update niph, if ip_route_me_harder does not fail. This only affects the interaction with REJECT targets and br_netfilter. Signed-off-by: N Tejaswi Tanikella <tejaswit@codeaurora.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
7400bb4b · Tejaswi Tanikella · Pablo Neira Ayuso · 0414c78f · 7400bb4b
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/ipv4/netfilter/nf_reject_ipv4.c net/ipv4/netfilter/nf_reject_ipv4.c +2 -0

未找到文件。
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -132,6 +132,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
 		goto free_nskb;

+	niph = ip_hdr(nskb);
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;