ACK: [CVE-2016-9755][PATCH Yakkety] netfilter: ipv6: nf_defrag: drop mangled skb on ream error
Seth Forshee
seth.forshee at canonical.com
Fri Jun 16 20:31:30 UTC 2017
On Thu, Jun 15, 2017 at 03:29:44PM +0800, Po-Hsu Lin wrote:
> From: Florian Westphal <fw at strlen.de>
>
> CVE-2016-9755
>
> Dmitry Vyukov reported GPF in network stack that Andrey traced down to
> negative nh offset in nf_ct_frag6_queue().
>
> Problem is that all network headers before fragment header are pulled.
> Normal ipv6 reassembly will drop the skb when errors occur further down
> the line.
>
> netfilter doesn't do this, and instead passed the original fragment
> along. That was also fine back when netfilter ipv6 defrag worked with
> cloned fragments, as the original, pristine fragment was passed on.
>
> So we either have to undo the pull op, or discard such fragments.
> Since they're malformed after all (e.g. overlapping fragment) it seems
> preferrable to just drop them.
>
> Same for temporary errors -- it doesn't make sense to accept (and
> perhaps forward!) only some fragments of same datagram.
>
> Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
> Reported-by: Dmitry Vyukov <dvyukov at google.com>
> Debugged-by: Andrey Konovalov <andreyknvl at google.com>
> Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet at google.com>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Acked-by: Eric Dumazet <edumazet at google.com>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa)
>
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Acked-by: Seth Forshee <seth.forshee at canonical.com>
More information about the kernel-team
mailing list