On Mon, 2017-03-20 at 12:59 +0800, Anarcheuz Fritz wrote:
> Hi David,
>
>
> While working on some legacy kernel I stumbled upon a null-ptr deref in
> ip_options_echo. The bug has been verified on the latest version
> 3.2.87 from the supported long-term branch.
>
Fixed in commit 34b2cef20f19c87999fff3da4071e66937db9644
("ipv4: keep skb->dst around in presence of IP options")
For 3.2, since d826eb14ecef was not backported, following patch should
do it.
(Bug origin was f84af32cbca70 ("net: ip_queue_rcv_skb() helper"))
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index b3648bbef0da..a6e1eeb02267 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1009,7 +1009,8 @@ e_inval:
*/
int ip_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO))
+ if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO) &&
+ !IPCB(skb)->opt.optlen)
skb_dst_drop(skb);
return sock_queue_rcv_skb(sk, skb);
}
