UPSTREAM: net: fix fraglist segmentation reference count leak

Xin Long says:
 On udp rx path udp_rcv_segment() may do segment where the frag skbs
 will get the header copied from the head skb in skb_segment_list()
 by calling __copy_skb_header(), which could overwrite the frag skbs'
 extensions by __skb_ext_copy() and cause a leak.

 This issue was found after loading esp_offload where a sec path ext
 is set in the skb.

Fix this by discarding head state of the fraglist skb before replacing
its contents.

Fixes: 3a1296a38d0cf62 ("net: Support GRO/GSO fraglist chaining.")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reported-by: Xiumei Mu <xmu@redhat.com>
Tested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit cf673ed0e057a2dd68d930c6d7e30d53c70c5789)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iba886d897485ddddb2f1f67347b65fbba4d3e119

This commit is contained in:

Florian Westphal

2020-03-30 18:51:29 +02:00

committed by

Greg Kroah-Hartman

parent 223c666145

commit df1cc4066f

1 changed files with 1 additions and 0 deletions

									
										1

net/core/skbuff.c
									
										View File
										
				@ -3671,6 +3671,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,

						skb_push(nskb, -skb_network_offset(nskb) + offset);

						skb_release_head_state(nskb);

						 __copy_skb_header(nskb, skb);

						skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb));

UPSTREAM: net: fix fraglist segmentation reference count leak

1 net/core/skbuff.c Unescape Escape View File

1

net/core/skbuff.c

View File