ipsec: Use the correct ip_local_out function
Herbert Xu [Tue, 20 May 2008 21:32:14 +0000 (14:32 -0700)]
Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/route.c
net/ipv6/route.c

index 92f90ae..df41026 100644 (file)
@@ -160,7 +160,7 @@ static struct dst_ops ipv4_dst_ops = {
        .negative_advice =      ipv4_negative_advice,
        .link_failure =         ipv4_link_failure,
        .update_pmtu =          ip_rt_update_pmtu,
-       .local_out =            ip_local_out,
+       .local_out =            __ip_local_out,
        .entry_size =           sizeof(struct rtable),
        .entries =              ATOMIC_INIT(0),
 };
index b7a4a87..48534c6 100644 (file)
@@ -109,7 +109,7 @@ static struct dst_ops ip6_dst_ops_template = {
        .negative_advice        =       ip6_negative_advice,
        .link_failure           =       ip6_link_failure,
        .update_pmtu            =       ip6_rt_update_pmtu,
-       .local_out              =       ip6_local_out,
+       .local_out              =       __ip6_local_out,
        .entry_size             =       sizeof(struct rt6_info),
        .entries                =       ATOMIC_INIT(0),
 };