3.16.7-ckt5 -stable review patch. If anyone has any objections, please let me know.
------------------ From: Thomas Graf <[email protected]> commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 upstream. skb_scrub_packet() is called when a packet switches between a context such as between underlay and overlay, between namespaces, or between L3 subnets. While we already scrub the packet mark, connection tracking entry, and cached destination, the security mark/context is left intact. It seems wrong to inherit the security context of a packet when going from overlay to underlay or across forwarding paths. Signed-off-by: Thomas Graf <[email protected]> Acked-by: Flavio Leitner <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Luis Henriques <[email protected]> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f5f14d54d6a2..fe07faaed256 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3933,6 +3933,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet) skb->ignore_df = 0; skb_dst_drop(skb); skb->mark = 0; + skb_init_secmark(skb); secpath_reset(skb); nf_reset(skb); nf_reset_trace(skb); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
