On Fri, 2021-04-16 at 22:29 +0200, Davide Caratti wrote: [...] > > for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then, > in the following call graph: > > ip_fragment()
^^ the above line is a typo, > ip_do_fragment() > ip_skb_dst_mtu() > ip_dst_mtu_maybe_forward() > ip_mtu_locked() > > a pointer to that struct is casted as pointer to struct rtable, hence the > OOB stack access. Fix this, changing the temporary variable used for IPv4 > packets in sch_fragment(), similarly to what is done for IPv6 in the same > function. and thanks to Eelco's help I just reproduced a similar splat with openvswitch. Indeed, ovs_fragment() seems to have the same problem [1]; I will follow-up with a series that fixes both data-paths. -- davide [1] https://elixir.bootlin.com/linux/v5.12-rc8/source/net/openvswitch/actions.c#L813
