linux/net/ipv6
hannes@stressinduktion.org f60e5990d9 ipv6: protect skb->sk accesses from recursive dereference inside the stack
We should not consult skb->sk for output decisions in xmit recursion
levels > 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.

ipv6 does not conform with this in three places:

1) ip6_fragment: we do consult ipv6_npinfo for frag_size

2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
   loop the packet back to the local socket

3) ip6_skb_dst_mtu could query the settings from the user socket and
   force a wrong MTU

Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.

Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.

Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-04-06 16:12:49 -04:00
..
netfilter netfilter: restore rule tracing via nfnetlink_log 2015-03-19 11:14:48 +01:00
addrconf_core.c ipv6: remove rt6i_genid 2014-09-30 14:00:48 -04:00
addrconf.c ipv6: addrconf: validate new MTU before applying it 2015-02-23 18:16:12 -05:00
addrlabel.c netlink: make nlmsg_end() and genlmsg_end() void 2015-01-18 01:03:45 -05:00
af_inet6.c ipv6: make fib6 serial number per namespace 2014-10-07 00:02:30 -04:00
ah6.c ipv6: coding style improvements (remove assignment in if statements) 2014-11-23 21:00:56 -05:00
anycast.c ipv6: remove aca_lock spinlock from struct ifacaddr6 2014-10-14 13:15:15 -04:00
datagram.c ip: fix error queue empty skb handling 2015-03-08 23:01:54 -04:00
esp6.c ipv6: coding style improvements (remove assignment in if statements) 2014-11-23 21:00:56 -05:00
exthdrs_core.c
exthdrs_offload.c
exthdrs.c net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited 2014-11-11 14:10:31 -05:00
fib6_rules.c net: move fib_rules_unregister() under rtnl lock 2015-04-02 20:52:34 -04:00
icmp.c ipv6:icmp:remove unnecessary brackets 2015-01-14 16:35:49 -05:00
inet6_connection_sock.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00
inet6_hashtables.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00
ip6_checksum.c
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-27 16:59:56 -08:00
ip6_flowlabel.c ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc 2015-02-12 07:13:03 -08:00
ip6_gre.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-02-05 14:33:28 -08:00
ip6_icmp.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
ip6_input.c ipv6: coding style improvements (remove assignment in if statements) 2014-11-23 21:00:56 -05:00
ip6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-11-29 20:47:48 -08:00
ip6_offload.h
ip6_output.c ipv6: protect skb->sk accesses from recursive dereference inside the stack 2015-04-06 16:12:49 -04:00
ip6_tunnel.c ip6_tunnel: fix error code when tunnel exists 2015-03-17 15:01:18 -04:00
ip6_udp_tunnel.c udp: Do not require sock in udp_tunnel_xmit_skb 2015-01-24 23:15:40 -08:00
ip6_vti.c tunnels: advertise link netns via netlink 2015-01-19 14:32:03 -05:00
ip6mr.c ip6mr: call del_timer_sync() in ip6mr_free_table() 2015-04-02 20:52:35 -04:00
ipcomp6.c ipv6: White-space cleansing : Structure layouts 2014-08-24 22:37:52 -07:00
ipv6_sockglue.c ipv6: tcp: fix race in IPV6_2292PKTOPTIONS 2015-01-26 00:44:08 -08:00
Kconfig
Makefile udp_tunnel: Only build ip6_udp_tunnel.c when IPV6 is selected 2014-09-19 22:05:28 -04:00
mcast.c ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs 2014-11-16 16:55:06 -05:00
mip6.c net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited 2014-11-11 14:10:31 -05:00
ndisc.c ipv6: Don't reduce hop limit for an interface 2015-03-25 11:41:08 -04:00
netfilter.c net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited 2014-11-11 14:10:31 -05:00
output_core.c ipv6: Make __ipv6_select_ident static 2015-02-09 14:21:03 -08:00
ping.c net: ping: Return EAFNOSUPPORT when appropriate. 2015-03-04 15:46:51 -05:00
proc.c udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts 2014-11-07 15:45:50 -05:00
protocol.c net: Export inet_offloads and inet6_offloads 2014-09-19 17:15:31 -04:00
raw.c net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() 2015-02-04 01:34:15 -05:00
reassembly.c ipv6: coding style improvements (remove assignment in if statements) 2014-11-23 21:00:56 -05:00
route.c ipv6: fix ipv6_cow_metrics for non DST_HOST case 2015-02-14 20:26:16 -08:00
sit.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-02-05 14:33:28 -08:00
syncookies.c net: allow setting ecn via routing table 2014-11-04 16:06:09 -05:00
sysctl_net_ipv6.c ipv6: add sysctl_mld_qrv to configure query robustness variable 2014-09-04 22:26:14 -07:00
tcp_ipv6.c net: tcp6: fix double call of tcp_v6_fill_cb() 2015-03-29 13:36:05 -07:00
tcpv6_offload.c net: Remove gso_send_check as an offload callback 2014-09-26 00:22:47 -04:00
tunnel6.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00
udp_impl.h
udp_offload.c ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment 2015-03-20 12:56:11 -04:00
udp.c udpv6: Add lockless sendmsg() support 2015-02-02 19:28:04 -08:00
udplite.c
xfrm6_input.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c xfrm: Fix local error reporting crash with interfamily tunnels 2015-02-09 11:14:17 +01:00
xfrm6_policy.c xfrm6: Fix a offset value for network header in _decode_session6 2015-02-06 07:00:32 +01:00
xfrm6_protocol.c
xfrm6_state.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
xfrm6_tunnel.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00