tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ipv6: fix possible UAF in icmpv6_rcv()

Caching saddr and daddr before pskb_pull() is problematic
since skb->head can change.

Remove these temporary variables:

- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.

- Avoid potential future misuse after pskb_pull() call.

Fixes: 4b3418fba0fe ("ipv6: icmp: include addresses in debug messages")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Joe Damato <joe@dama.to>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260416103505.2380753-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Eric Dumazet and committed by
Jakub Kicinski f996edd7 dcf6d5e6

+4 -6
+4 -6
net/ipv6/icmp.c
··· 1104 1104 struct net *net = dev_net_rcu(skb->dev); 1105 1105 struct net_device *dev = icmp6_dev(skb); 1106 1106 struct inet6_dev *idev = __in6_dev_get(dev); 1107 - const struct in6_addr *saddr, *daddr; 1108 1107 struct icmp6hdr *hdr; 1109 1108 u8 type; 1110 1109 ··· 1134 1135 1135 1136 __ICMP6_INC_STATS(dev_net_rcu(dev), idev, ICMP6_MIB_INMSGS); 1136 1137 1137 - saddr = &ipv6_hdr(skb)->saddr; 1138 - daddr = &ipv6_hdr(skb)->daddr; 1139 - 1140 1138 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) { 1141 1139 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n", 1142 - saddr, daddr); 1140 + &ipv6_hdr(skb)->saddr, 1141 + &ipv6_hdr(skb)->daddr); 1143 1142 goto csum_error; 1144 1143 } 1145 1144 ··· 1217 1220 break; 1218 1221 1219 1222 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n", 1220 - saddr, daddr); 1223 + &ipv6_hdr(skb)->saddr, 1224 + &ipv6_hdr(skb)->daddr); 1221 1225 1222 1226 /* 1223 1227 * error of unknown type.