From: Tejaswi Tanikella <tejaswit@codeaurora.org>
Date: Mon, 23 Oct 2017 06:16:03 +0000 (+0530)
Subject: netfilter: nf_reject_ipv4: Fix use-after-free in send_reset
X-Git-Tag: Ubuntu-5.13.0-19.19~12305^2~5^2
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=7400bb4b5800831581a82f71700af6a5e815c3c8;p=mirror_ubuntu-jammy-kernel.git

netfilter: nf_reject_ipv4: Fix use-after-free in send_reset

niph is not updated after pskb_expand_head changes the skb head. It
still points to the freed data, which is then used to update tot_len and
checksum. This could cause use-after-free poison crash.

Update niph, if ip_route_me_harder does not fail.

This only affects the interaction with REJECT targets and br_netfilter.

Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index eeacbdaf7cdf..5cd06ba3535d 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -132,6 +132,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
 		goto free_nskb;
 
+	niph = ip_hdr(nskb);
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;