Commit 028b0275 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[DCCP]: Fix skb->cb conflicts with IP

dev_queue_xmit() and the other IP output functions expect to get a skb
with clear or properly initialized skb->cb. Unlike TCP and UDP, the
dccp_skb_cb doesn't contain a struct inet_skb_parm at the beginning,
so the DCCP-specific data is interpreted by the IP output functions.
This can cause false negatives for the conditional POST_ROUTING hook
invocation, making the packet bypass the hook.

Add a inet_skb_parm/inet6_skb_parm union to the beginning of
dccp_skb_cb to avoid clashes. Also add a BUILD_BUG_ON to make
sure it fits in the cb.

[ Combined with patch from Gerrit Renker to remove two now unnecessary
  memsets of IPCB(skb)->opt ]
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Acked-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ae1b6a31
...@@ -325,6 +325,12 @@ static inline int dccp_bad_service_code(const struct sock *sk, ...@@ -325,6 +325,12 @@ static inline int dccp_bad_service_code(const struct sock *sk,
* This is used for transmission as well as for reception. * This is used for transmission as well as for reception.
*/ */
struct dccp_skb_cb { struct dccp_skb_cb {
union {
struct inet_skb_parm h4;
#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
struct inet6_skb_parm h6;
#endif
} header;
__u8 dccpd_type:4; __u8 dccpd_type:4;
__u8 dccpd_ccval:4; __u8 dccpd_ccval:4;
__u8 dccpd_reset_code, __u8 dccpd_reset_code,
......
...@@ -489,7 +489,6 @@ static int dccp_v4_send_response(struct sock *sk, struct request_sock *req, ...@@ -489,7 +489,6 @@ static int dccp_v4_send_response(struct sock *sk, struct request_sock *req,
dh->dccph_checksum = dccp_v4_csum_finish(skb, ireq->loc_addr, dh->dccph_checksum = dccp_v4_csum_finish(skb, ireq->loc_addr,
ireq->rmt_addr); ireq->rmt_addr);
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr, err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr,
ireq->rmt_addr, ireq->rmt_addr,
ireq->opt); ireq->opt);
......
...@@ -126,7 +126,6 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb) ...@@ -126,7 +126,6 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
DCCP_INC_STATS(DCCP_MIB_OUTSEGS); DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
err = icsk->icsk_af_ops->queue_xmit(skb, 0); err = icsk->icsk_af_ops->queue_xmit(skb, 0);
return net_xmit_eval(err); return net_xmit_eval(err);
} }
......
...@@ -1057,6 +1057,9 @@ static int __init dccp_init(void) ...@@ -1057,6 +1057,9 @@ static int __init dccp_init(void)
int ehash_order, bhash_order, i; int ehash_order, bhash_order, i;
int rc = -ENOBUFS; int rc = -ENOBUFS;
BUILD_BUG_ON(sizeof(struct dccp_skb_cb) >
FIELD_SIZEOF(struct sk_buff, cb));
dccp_hashinfo.bind_bucket_cachep = dccp_hashinfo.bind_bucket_cachep =
kmem_cache_create("dccp_bind_bucket", kmem_cache_create("dccp_bind_bucket",
sizeof(struct inet_bind_bucket), 0, sizeof(struct inet_bind_bucket), 0,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment