[IPV4/IPV6]: Fix use-after-free bugs in tunneling drivers.

f945e9c3 · Julian Anastasov · Hideaki Yoshifuji · de3ce7ba · f945e9c3 · f945e9c3
Commit f945e9c3 authored Jul 15, 2003 by Julian Anastasov Committed by Hideaki Yoshifuji Jul 15, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

net/ipv4/ip_gre.c net/ipv4/ip_gre.c +1 -0

net/ipv4/ipip.c net/ipv4/ipip.c +1 -0

net/ipv6/sit.c net/ipv6/sit.c +1 -0

No files found.
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -816,6 +816,7 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 			skb_set_owner_w(new_skb, skb->sk);
 		dev_kfree_skb(skb);
 		skb = new_skb;
+		old_iph = skb->nh.iph;
 	}
 	skb->nh.raw = skb_push(skb, gre_hlen);

--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -616,6 +616,7 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 			skb_set_owner_w(new_skb, skb->sk);
 		dev_kfree_skb(skb);
 		skb = new_skb;
+		old_iph = skb->nh.iph;
 	}
 	skb->nh.raw = skb_push(skb, sizeof(struct iphdr));

--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -550,6 +550,7 @@ static int ipip6_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 			skb_set_owner_w(new_skb, skb->sk);
 		dev_kfree_skb(skb);
 		skb = new_skb;
+		iph6 = skb->nh.ipv6h;
 	}
 	skb->nh.raw = skb_push(skb, sizeof(struct iphdr));