commit af443b6d90de17f7630621269cf0610d9d772670
tree bd329577450b1d152813117d47796c65a45b39d4
parent 2e47c264a2e6ea24c27b4987607222202818c1f4
author Patrick McHardy <[EMAIL PROTECTED]> 1164773421 -0800
committer David S. Miller <[EMAIL PROTECTED]> 1164776378 -0800

[NETFILTER]: ipt_REJECT: fix memory corruption

On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder()
reallocates the skb, leading to memory corruption when using the stale
tcph pointer to update the checksum.

Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>

 net/ipv4/netfilter/ipt_REJECT.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index ad0312d..264763a 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *o
        tcph->window = 0;
        tcph->urg_ptr = 0;
 
+       /* Adjust TCP checksum */
+       tcph->check = 0;
+       tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
+                                  nskb->nh.iph->saddr,
+                                  nskb->nh.iph->daddr,
+                                  csum_partial((char *)tcph,
+                                               sizeof(struct tcphdr), 0));
+
        /* Set DF, id = 0 */
        nskb->nh.iph->frag_off = htons(IP_DF);
        nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ static void send_reset(struct sk_buff *o
        if (ip_route_me_harder(&nskb, addr_type))
                goto free_nskb;
 
-       /* Adjust TCP checksum */
        nskb->ip_summed = CHECKSUM_NONE;
-       tcph->check = 0;
-       tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-                                  nskb->nh.iph->saddr,
-                                  nskb->nh.iph->daddr,
-                                  csum_partial((char *)tcph,
-                                               sizeof(struct tcphdr), 0));
+
        /* Adjust IP TTL */
        nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to