skb->sk can be set in the early_demux path. This can be problematic, as it
may be a time-wait socket, which will blow up in the ip6_output path when
we try to pull out the non-existent pinet6 pointer (the type-punning causes
that pointer to be garbage).
This patch orphans the skb if it's not a local socket, so we no longer have
to worry about running into the time-wait problem from early demux.
Signed-off-by: Alex Gartrell <agartrell@xxxxxx>
---
net/netfilter/ipvs/ip_vs_core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 990decb..57fc626 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1692,10 +1692,19 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
ip_vs_in_stats(cp, skb);
ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
- if (cp->packet_xmit)
+ if (cp->packet_xmit) {
+ /* From now on, we only care about the skb->sk if it's
+ * LOCAL_OUT (as we may need to update the MTU on a socket
+ * we own for tunneling overhead. We must orphan it, in
+ * case a socket was in time-wait or something and this
+ * value was assigned in the early_demux path.
+ */
+ if (hooknum == NF_INET_LOCAL_IN)
+ skb_orphan(skb);
+
ret = cp->packet_xmit(skb, cp, pp, &iph);
/* do not touch skb anymore */
- else {
+ } else {
IP_VS_DBG_RL("warning: packet_xmit is null");
ret = NF_ACCEPT;
}
--
Alex Gartrell <agartrell@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
