xfrm Fix use after free in __xfrm6_udp_encap_rcv.

klassert · klassert · commit 53a5b4f2ea85 · 2023-10-23T07:10:39.000+02:00
A recent patch changed xfrm6_udp_encap_rcv to not free the skb itself anymore but fogot the case where xfrm4_udp_encap_rcv is called subsequently. Fix this by moving the call to xfrm4_udp_encap_rcv from __xfrm6_udp_encap_rcv to xfrm6_udp_encap_rcv. Fixes: 221ddb7 ("xfrm: Support GRO for IPv6 ESP in UDP encapsulation") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
@@ -159,7 +159,6 @@ static int __xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb, bool pull
 	/* process ESP */
 	return 0;
 }
-EXPORT_SYMBOL(xfrm4_udp_encap_rcv);
 
 /* If it's a keepalive packet, then just eat it.
  * If it's an encapsulated packet, then pass it to the
@@ -184,6 +183,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
 
 	return ret;
 }
+EXPORT_SYMBOL(xfrm4_udp_encap_rcv);
 
 struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 					struct sk_buff *skb)
@@ -223,6 +223,7 @@ struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 
 	return NULL;
 }
+EXPORT_SYMBOL(xfrm4_gro_udp_encap_rcv);
 
 int xfrm4_rcv(struct sk_buff *skb)
 {
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
@@ -80,9 +80,6 @@ static int __xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb, bool pull
 	__be32 *udpdata32;
 	u16 encap_type;
 
-	if (skb->protocol == htons(ETH_P_IP))
-		return xfrm4_udp_encap_rcv(sk, skb);
-
 	encap_type = READ_ONCE(up->encap_type);
 	/* if this is not encapsulated socket, then just return now */
 	if (!encap_type)
@@ -169,6 +166,9 @@ int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
 {
 	int ret;
 
+	if (skb->protocol == htons(ETH_P_IP))
+		return xfrm4_udp_encap_rcv(sk, skb);
+
 	ret = __xfrm6_udp_encap_rcv(sk, skb, true);
 	if (!ret)
 		return xfrm6_rcv_encap(skb, IPPROTO_ESP, 0,
@@ -190,6 +190,9 @@ struct sk_buff *xfrm6_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 	struct sk_buff *pp = NULL;
 	int ret;
 
+	if (skb->protocol == htons(ETH_P_IP))
+		return xfrm4_gro_udp_encap_rcv(sk, head, skb);
+
 	offset = offset - sizeof(struct udphdr);
 
 	if (!pskb_pull(skb, offset))

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,6 @@ static int __xfrm4_udp_encap_rcv(struct sock sk, struct sk_buff skb, bool pull`
`159`	`159`	`/* process ESP */`
`160`	`160`	`return 0;`
`161`	`161`	`}`
`162`		`-EXPORT_SYMBOL(xfrm4_udp_encap_rcv);`
`163`	`162`
`164`	`163`	`/* If it's a keepalive packet, then just eat it.`
`165`	`164`	`* If it's an encapsulated packet, then pass it to the`
`@@ -184,6 +183,7 @@ int xfrm4_udp_encap_rcv(struct sock sk, struct sk_buff skb)`
`184`	`183`
`185`	`184`	`return ret;`
`186`	`185`	`}`
	`186`	`+EXPORT_SYMBOL(xfrm4_udp_encap_rcv);`
`187`	`187`
`188`	`188`	`struct sk_buff xfrm4_gro_udp_encap_rcv(struct sock sk, struct list_head *head,`
`189`	`189`	`struct sk_buff *skb)`
`@@ -223,6 +223,7 @@ struct sk_buff xfrm4_gro_udp_encap_rcv(struct sock sk, struct list_head *head,`
`223`	`223`
`224`	`224`	`return NULL;`
`225`	`225`	`}`
	`226`	`+EXPORT_SYMBOL(xfrm4_gro_udp_encap_rcv);`
`226`	`227`
`227`	`228`	`int xfrm4_rcv(struct sk_buff *skb)`
`228`	`229`	`{`