Patch "netfilter: Fix potential use after free in ip6_route_me_harder()" has been added to the 3.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 09 Jun 2014 15:37:26 -0700

This is a note to let you know that I've just added the patch titled

    netfilter: Fix potential use after free in ip6_route_me_harder()

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-fix-potential-use-after-free-in-ip6_route_me_harder.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From a8951d5814e1373807a94f79f7ccec7041325470 Mon Sep 17 00:00:00 2001
From: Sergey Popovich <popovich_sergei@xxxxxxx>
Date: Thu, 8 May 2014 16:22:35 +0300
Subject: netfilter: Fix potential use after free in ip6_route_me_harder()

From: Sergey Popovich <popovich_sergei@xxxxxxx>

commit a8951d5814e1373807a94f79f7ccec7041325470 upstream.

Dst is released one line before we access it again with dst->error.

Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()

Signed-off-by: Sergey Popovich <popovich_sergei@xxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 net/ipv6/netfilter.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *
 		.daddr = iph->daddr,
 		.saddr = iph->saddr,
 	};
+	int err;
 
 	dst = ip6_route_output(net, skb->sk, &fl6);
-	if (dst->error) {
+	err = dst->error;
+	if (err) {
 		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
 		LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
 		dst_release(dst);
-		return dst->error;
+		return err;
 	}
 
 	/* Drop old route. */


Patches currently in stable-queue which might be from popovich_sergei@xxxxxxx are

queue-3.14/netfilter-fix-potential-use-after-free-in-ip6_route_me_harder.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







