f9f02cca25
When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
ip6_queue.c | ||
ip6_tables.c | ||
ip6t_ah.c | ||
ip6t_eui64.c | ||
ip6t_frag.c | ||
ip6t_hbh.c | ||
ip6t_hl.c | ||
ip6t_HL.c | ||
ip6t_ipv6header.c | ||
ip6t_LOG.c | ||
ip6t_owner.c | ||
ip6t_REJECT.c | ||
ip6t_rt.c | ||
ip6table_filter.c | ||
ip6table_mangle.c | ||
ip6table_raw.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_l3proto_ipv6.c | ||
nf_conntrack_proto_icmpv6.c | ||
nf_conntrack_reasm.c |