diff options
| author | Eric Dumazet <edumazet@google.com> | 2026-05-05 16:00:56 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-05-07 03:29:23 +0300 |
| commit | 7aaa8f5e45a92678256c1e17f1fa2c2f45c61dd1 (patch) | |
| tree | a32967d41a88fefdc7f1694b3d5ed4b6f636dbc5 | |
| parent | 0e1368a28dd5231ae0dbe240dfe0ff2657de5647 (diff) | |
| download | linux-7aaa8f5e45a92678256c1e17f1fa2c2f45c61dd1.tar.xz | |
ipv6: fix potential UAF caused by ip6_forward_proxy_check()
ip6_forward_proxy_check() calls pskb_may_pull() which might re-allocate
skb->head.
Reload ipv6_hdr() after the pskb_may_pull() call to avoid using
the freed memory.
Fixes: e21e0b5f19ac ("[IPV6] NDISC: Handle NDP messages to proxied addresses.")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260505130056.2927197-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | net/ipv6/ip6_output.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 1f2a33fbed6e..c14adcdd4396 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -468,6 +468,7 @@ static int ip6_forward_proxy_check(struct sk_buff *skb) default: break; } + hdr = ipv6_hdr(skb); } /* @@ -582,6 +583,8 @@ int ip6_forward(struct sk_buff *skb) if (READ_ONCE(net->ipv6.devconf_all->proxy_ndp) && pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev)) { int proxied = ip6_forward_proxy_check(skb); + + hdr = ipv6_hdr(skb); if (proxied > 0) { /* It's tempting to decrease the hop limit * here by 1, as we do at the end of the |