Commit a8951d58 authored by Sergey Popovich's avatar Sergey Popovich Committed by Pablo Neira Ayuso

netfilter: Fix potential use after free in ip6_route_me_harder()

Dst is released one line before we access it again with dst->error.

Fixes: 58e35d14 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()
Signed-off-by: default avatarSergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent aff09ce3
...@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb) ...@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb)
.daddr = iph->daddr, .daddr = iph->daddr,
.saddr = iph->saddr, .saddr = iph->saddr,
}; };
int err;
dst = ip6_route_output(net, skb->sk, &fl6); dst = ip6_route_output(net, skb->sk, &fl6);
if (dst->error) { err = dst->error;
if (err) {
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
dst_release(dst); dst_release(dst);
return dst->error; return err;
} }
/* Drop old route. */ /* Drop old route. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment