Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

author: David S. Miller <davem@davemloft.net> 2019-10-05 13:37:23 -0700
committer: David S. Miller <davem@davemloft.net> 2019-10-05 13:37:23 -0700
commit: 6f4c930e02355664d89c976eccea5d999a90de16 (patch)
tree: bc08932fbf43b9560ba5bde3284674054e3b56eb /net/ipv6/ip6_input.c
parent: 26e0105550862a137eba701e2f4e3eeb343759e9 (diff)
parent: 2d00aee21a5d4966e086d98f9d710afb92fb14e8 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index d432d0011c16..3d71c7d6102c 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -223,6 +223,16 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
 	if (ipv6_addr_is_multicast(&hdr->saddr))
 		goto err;
 
+	/* While RFC4291 is not explicit about v4mapped addresses
+	 * in IPv6 headers, it seems clear linux dual-stack
+	 * model can not deal properly with these.
+	 * Security models could be fooled by ::ffff:127.0.0.1 for example.
+	 *
+	 * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
+	 */
+	if (ipv6_addr_v4mapped(&hdr->saddr))
+		goto err;
+
 	skb->transport_header = skb->network_header + sizeof(*hdr);
 	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 
@@ -371,7 +381,7 @@ resubmit_final:
 			/* Free reference early: we don't need it any more,
 			   and it may hold ip_conntrack module loaded
 			   indefinitely. */
-			nf_reset(skb);
+			nf_reset_ct(skb);
 
 			skb_postpull_rcsum(skb, skb_network_header(skb),
 					   skb_network_header_len(skb));
author	David S. Miller <davem@davemloft.net>	2019-10-05 13:37:23 -0700
committer	David S. Miller <davem@davemloft.net>	2019-10-05 13:37:23 -0700
commit	6f4c930e02355664d89c976eccea5d999a90de16 (patch)
tree	bc08932fbf43b9560ba5bde3284674054e3b56eb /net/ipv6/ip6_input.c
parent	26e0105550862a137eba701e2f4e3eeb343759e9 (diff)
parent	2d00aee21a5d4966e086d98f9d710afb92fb14e8 (diff)