Kernel panic in nf_send_reset6() path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I’ve met a crash on kernel v5.4 when a v4 packet goes through a
464-clatd interface, thus converted to v6, and hits a netfilter rule
that triggers a TCP reset to be sent back.

Here is an example rule that can trigger it:

ip6tables -t filter -I zone_wan_dest_ACCEPT 1 -p tcp -j REJECT
--reject-with tcp-reset


The crash is in skb_panic, when the code tries to add the eth header
(dev_hard_header) but finds no room available. There seems to be a
disconnect in the skb_alloc() and skb_reserve() values used in
nf_send_reset6(), plus the eth header added. Anyone able to confirm?

Thanks in advance,



[   49.029989] -(2)[18620:modprobe] skb_panic+0x48/0x4c

[   49.030619] -(2)[18620:modprobe] skb_push+0x38/0x40

[   49.031238] -(2)[18620:modprobe] eth_header+0x30/0xb8

[   49.031880] -(2)[18620:modprobe] nf_send_reset6+0x234/0xc4c [nf_reject_ipv6]

[   49.032771] -(2)[18620:modprobe] 0xffffffc008df6084

[   49.033389] -(2)[18620:modprobe] ip6t_do_table+0x398/0x820 [ip6_tables]

[   49.034223] -(2)[18620:modprobe] 0xffffffc008e0a054

[   49.034841] -(2)[18620:modprobe] nf_hook_slow+0x40/0xbc

[   49.035502] -(2)[18620:modprobe] nf_hook.constprop.0+0x64/0x90

[   49.036238] -(2)[18620:modprobe] ip6_forward+0x710/0x7b4

[   49.036909] -(2)[18620:modprobe] ip6_rcv_finish+0x34/0x48

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux