[NETFILTER]: ipt_REJECT: fix memory corruption
Patrick McHardy [Wed, 29 Nov 2006 04:10:21 +0000 (20:10 -0800)]
On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder()
reallocates the skb, leading to memory corruption when using the stale
tcph pointer to update the checksum.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/netfilter/ipt_REJECT.c

index ad0312d..264763a 100644 (file)
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        tcph->window = 0;
        tcph->urg_ptr = 0;
 
+       /* Adjust TCP checksum */
+       tcph->check = 0;
+       tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
+                                  nskb->nh.iph->saddr,
+                                  nskb->nh.iph->daddr,
+                                  csum_partial((char *)tcph,
+                                               sizeof(struct tcphdr), 0));
+
        /* Set DF, id = 0 */
        nskb->nh.iph->frag_off = htons(IP_DF);
        nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        if (ip_route_me_harder(&nskb, addr_type))
                goto free_nskb;
 
-       /* Adjust TCP checksum */
        nskb->ip_summed = CHECKSUM_NONE;
-       tcph->check = 0;
-       tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-                                  nskb->nh.iph->saddr,
-                                  nskb->nh.iph->daddr,
-                                  csum_partial((char *)tcph,
-                                               sizeof(struct tcphdr), 0));
+
        /* Adjust IP TTL */
        nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);