On Fri, 2021-04-16 at 22:29 +0200, Davide Caratti wrote:

> for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,
> in the following call graph:
>   ip_fragment()

^^ the above line is a typo,

>     ip_do_fragment()
>       ip_skb_dst_mtu()
>         ip_dst_mtu_maybe_forward()
>           ip_mtu_locked()
> a pointer to that struct is casted as pointer to struct rtable, hence the
> OOB stack access. Fix this, changing the temporary variable used for IPv4
> packets in sch_fragment(), similarly to what is done for IPv6 in the same
> function.

and thanks to Eelco's help I just reproduced a similar splat with
openvswitch. Indeed, ovs_fragment() seems to have the same problem [1];
I will follow-up with a series that fixes both data-paths.



Reply via email to