Phil Oester <kernel@xxxxxxxxxxxx> wrote:
> In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation
> handling"), an sk_buff leak was introduced when dealing with reassembled
> packets by grabbing a reference to the original skb instead of the
> reassembled skb. At this point, the leak only impacted conntracks with an
> associated helper.
David, could you please apply this patch directly in case Pablo doesn't
apply it first? This fixes a remote DoS, so it better hit -stable ASAP.
Thanks.
[ archive link: http://patchwork.ozlabs.org/patch/252692/ ]
> diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> index 97bcf2b..c9b6a6e 100644
> --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> @@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(struct net *net,
> if (ct != NULL && !nf_ct_is_untracked(ct)) {
> help = nfct_help(ct);
> if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
> - nf_conntrack_get_reasm(skb);
> + nf_conntrack_get_reasm(reasm);
> NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
> (struct net_device *)in,
> (struct net_device *)out,
Thanks for fixing it, but personally I would have preferred a short early
warning period.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
