From: Xin Long <lucien....@gmail.com>
Date: Sun, 13 Sep 2020 19:37:31 +0800
> In tipc_buf_append() it may change skb's frag_list, and it causes
> problems when this skb is cloned. skb_unclone() doesn't really
> make this skb's flag_list available to change.
>
> Shuang Li has reported an use-after-free issue because of this
> when creating quite a few macvlan dev over the same dev, where
> the broadcast packets will be cloned and go up to the stack:
...
> So fix it by using skb_unshare() instead, which would create a new
> skb for the cloned frag and it'll be safe to change its frag_list.
> The similar things were also done in sctp_make_reassembled_event(),
> which is using skb_copy().
>
> Reported-by: Shuang Li <shu...@redhat.com>
> Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
> Signed-off-by: Xin Long <lucien....@gmail.com>
Applied and queued up for -stable, thanks.
_______________________________________________
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion
