ipv6: protect skb->sk accesses from recursive dereference inside the stack
authorhannes@stressinduktion.org <hannes@stressinduktion.org>
Wed, 1 Apr 2015 15:07:44 +0000 (17:07 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 6 Apr 2015 20:12:49 +0000 (16:12 -0400)
commitf60e5990d9c1424af9dbca60a23ba2a1c7c1ce90
treebba5ed057073e42c0113473e1cdbff0bc46ab875
parent576b7cd2f6ff1e90b3fc0a000d2fe74f8a50a4bb
ipv6: protect skb->sk accesses from recursive dereference inside the stack

We should not consult skb->sk for output decisions in xmit recursion
levels > 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.

ipv6 does not conform with this in three places:

1) ip6_fragment: we do consult ipv6_npinfo for frag_size

2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
   loop the packet back to the local socket

3) ip6_skb_dst_mtu could query the settings from the user socket and
   force a wrong MTU

Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.

Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.

Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/netdevice.h
include/net/ip.h
include/net/ip6_route.h
include/net/sock.h
net/core/dev.c
net/core/sock.c
net/ipv6/ip6_output.c