CVE-2017-6074-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch

   1 From 4feb04ade2a559e0e76a0215d259c5673e5b1cbd Mon Sep 17 00:00:00 2001
   2 From: Andrey Konovalov <andreyknvl@google.com>
   3 Date: Thu, 16 Feb 2017 17:22:46 +0100
   4 Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
  10 is forcibly freed via __kfree_skb in dccp_rcv_state_process if
  11 dccp_v6_conn_request successfully returns.
  12
  13 However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
  14 is saved to ireq->pktopts and the ref count for skb is incremented in
  15 dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
  16 in dccp_rcv_state_process.
  17
  18 Fix by calling consume_skb instead of doing goto discard and therefore
  19 calling __kfree_skb.
  20
  21 Similar fixes for TCP:
  22
  23 fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
  24 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
  25 simply consumed
  26
  27 Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
  28 Acked-by: Eric Dumazet <edumazet@google.com>
  29 Signed-off-by: David S. Miller <davem@davemloft.net>
  30
  31 CVE-2017-6074
  32 BugLink: http://bugs.launchpad.net/bugs/1665935
  33
  34 (cherry-picked from 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 davem)
  35 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  36
  37 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  38 ---
  39  net/dccp/input.c | 3 ++-
  40  1 file changed, 2 insertions(+), 1 deletion(-)
  41
  42 diff --git a/net/dccp/input.c b/net/dccp/input.c
  43 index 3bd14e8..dbe2573 100644
  44 --- a/net/dccp/input.c
  45 +++ b/net/dccp/input.c
  46 @@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  47                         if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
  48                                                                     skb) < 0)
  49                                 return 1;
  50 -                       goto discard;
  51 +                       consume_skb(skb);
  52 +                       return 0;
  53                 }
  54                 if (dh->dccph_type == DCCP_PKT_RESET)
  55                         goto discard;
  56 --
  57 2.1.4
  58