On 1/15/2019 9:06 AM, Nazarov Sergey wrote: > Hello! > Security modules (selinux, smack) use icmp_send for discarded incorrectly labeled network packets. > This could be on TCP level too (security_sock_rcv_skb -> cipso_v4_error for INET stream connection, for example). > icmp_send calls ip_option_echo, which uses IPCB to take compiled IP options. > After moving IP header data to the end of the struct tcp_skb_cb (since 3.18 kernel), this could lead to > kernel memory corruption when IP options copying. Can you explain how that corruption might occur? Do you have a test case? > This patch fix a bug, but I'm not sure, that this is a best solution. Perhaps someone more familiar with the > linux TCP/IP stack will offer a better one. > Thanks. > > --- a/net/ipv4/icmp.c > +++ b/net/ipv4/icmp.c > @@ -679,7 +679,8 @@ void icmp_send(struct sk_buff *skb_in, i > iph->tos; > mark = IP4_REPLY_MARK(net, skb_in->mark); > > - if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in)) > + if (__ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in, > + ip_hdr(skb_in)->protocol == IPPROTO_TCP ? &TCP_SKB_CB(skb_in)->header.h4.opt : &IPCB(skb_in)->opt)) > goto out_unlock; > >
