linux/net
hannes@stressinduktion.org f60e5990d9 ipv6: protect skb->sk accesses from recursive dereference inside the stack
We should not consult skb->sk for output decisions in xmit recursion
levels > 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.

ipv6 does not conform with this in three places:

1) ip6_fragment: we do consult ipv6_npinfo for frag_size

2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
   loop the packet back to the local socket

3) ip6_skb_dst_mtu could query the settings from the user socket and
   force a wrong MTU

Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.

Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.

Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-04-06 16:12:49 -04:00
..
6lowpan net/6lowpan: Remove FSF address from GPL statement. 2014-12-05 12:43:04 +01:00
9p 9p/trans_virtio: fix hot-unplug 2015-03-13 15:55:41 +10:30
802
8021q vlan: advertise link netns via netlink 2015-01-23 17:51:15 -08:00
appletalk new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
atm put iov_iter into msghdr 2014-12-09 16:29:03 -05:00
ax25 new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
batman-adv batman-adv: Kconfig, Add missing DEBUG_FS dependency 2015-01-07 22:17:11 +01:00
bluetooth Bluetooth: Fix potential NULL dereference 2015-02-03 09:02:12 +01:00
bridge bridge: reset bridge mtu after deleting an interface 2015-03-14 19:12:38 -04:00
caif caif: fix MSG_OOB test in caif_seqpkt_recvmsg() 2015-03-15 22:19:17 -04:00
can can: add missing initialisations in CAN related skbuffs 2015-03-09 10:22:24 +01:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2015-02-19 14:14:42 -08:00
core ipv6: protect skb->sk accesses from recursive dereference inside the stack 2015-04-06 16:12:49 -04:00
dcb dcbnl : Disable software interrupts before taking dcb_lock 2014-11-16 14:50:52 -05:00
dccp net: introduce helper macro for_each_cmsghdr 2014-12-10 22:41:55 -05:00
decnet net: move fib_rules_unregister() under rtnl lock 2015-04-02 20:52:34 -04:00
dns_resolver
dsa net: dsa: Set valid phy interface type 2015-02-17 10:37:39 -08:00
ethernet net: Add Transparent Ethernet Bridging GRO support. 2015-01-02 15:46:41 -05:00
hsr net/hsr: Fix NULL pointer dereference and refcnt bugs when deleting a HSR interface. 2015-03-01 13:40:23 -05:00
ieee802154 netlink: make nlmsg_end() and genlmsg_end() void 2015-01-18 01:03:45 -05:00
ipv4 net: move fib_rules_unregister() under rtnl lock 2015-04-02 20:52:34 -04:00
ipv6 ipv6: protect skb->sk accesses from recursive dereference inside the stack 2015-04-06 16:12:49 -04:00
ipx switch ipxrtr_route_packet() from iovec to msghdr 2014-11-24 04:28:49 -05:00
irda TTY/Serial fixes for 4.0-rc3 2015-03-08 12:25:40 -07:00
iucv af_iucv: fix AF_IUCV sendmsg() errno 2015-03-31 16:06:50 -04:00
key new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
l2tp netlink: make nlmsg_end() and genlmsg_end() void 2015-01-18 01:03:45 -05:00
lapb
llc net: llc: use correct size for sysctl timeout entries 2015-01-25 00:23:21 -08:00
mac80211 mac80211: fix RX A-MPDU session reorder timer deletion 2015-04-01 14:35:01 +02:00
mac802154 mac802154: fix kbuild test robot warning 2015-01-03 01:51:51 +01:00
mpls net: mark some potential candidates __read_mostly 2015-01-30 17:58:39 -08:00
netfilter netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set 2015-03-22 19:32:05 +01:00
netlabel Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2015-02-11 20:25:11 -08:00
netlink rhashtable: remove indirection for grow/shrink decision functions 2015-02-27 16:06:02 -05:00
netrom new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
nfc NFC: nci: Move NFCEE discovery logic 2015-02-04 09:15:18 +01:00
openvswitch openvswitch: Return vport module ref before destruction 2015-03-31 15:59:50 -04:00
packet net: delete stale packet_mclist entries 2015-03-09 16:17:43 -04:00
phonet phonet netlink: allow multiple messages per skb in route dump 2015-01-19 16:20:17 -05:00
rds rds: avoid potential stack overflow 2015-03-12 00:28:01 -04:00
rfkill Last round of updates for net-next: 2015-02-04 14:57:45 -08:00
rose new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
rxrpc rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() 2015-03-15 22:20:09 -04:00
sched act_bpf: allow non-default TC_ACT opcodes as BPF exec outcome 2015-03-17 22:15:06 -04:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-02-05 14:33:28 -08:00
sunrpc sunrpc: make debugfs file creation failure non-fatal 2015-03-31 14:15:08 -04:00
switchdev Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
tipc tipc: fix a slab object leak 2015-03-31 23:10:08 -04:00
unix net: remove sock_iocb 2015-01-28 23:15:07 -08:00
vmw_vsock vmci: propagate msghdr all way down to __qp_memcpy_to_queue() 2015-02-04 01:34:14 -05:00
wimax
wireless nl80211: ignore HT/VHT capabilities without QoS/WMM 2015-03-16 09:36:11 +01:00
x25 new helper: memcpy_from_msg() 2014-11-24 04:28:48 -05:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-03-16 16:16:49 -04:00
compat.c net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour 2015-03-20 16:31:09 -04:00
Kconfig kconfig: use bool instead of boolean for type definition attributes 2015-01-07 13:08:04 +01:00
Makefile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-12-16 15:53:03 -08:00
socket.c net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom 2015-03-20 16:38:06 -04:00
sysctl_net.c