tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt

l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.

Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso b078556a 1a9da593

+4
+4
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
··· 99 99 !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff, 100 100 target, maniptype)) 101 101 return false; 102 + 103 + /* must reload, offset might have changed */ 104 + ipv6h = (void *)skb->data + iphdroff; 105 + 102 106 manip_addr: 103 107 if (maniptype == NF_NAT_MANIP_SRC) 104 108 ipv6h->saddr = target->src.u3.in6;