On Mon, 31 Dec 2007, Paul Moore wrote: > I'm pretty certain this is an uninitialized value problem now and not a > use-after-free issue. The invalid/garbage ->iif value seems to only happen > on packets that are generated locally and sent back into the stack for local > consumption, e.g. loopback. These local packets also need to have been > cloned at some point, either on the output or input path.
I think we need to find out exactly what's happening, first. > The problem appears to be a skb_clone() function which does not clear the skb > structure properly and fails to copy the ->iif value from the original skb to > the cloned skb. From what I can tell, there are two possible solutions to > this problem: > > 1. Clear all of the cloned skb fields in skb_clone() via memset() Sounds like it's not going to fly for performance reasons in any case. > 2. Copy the ->iif field in __copy_skb_header() Seems valid. - James -- James Morris <[EMAIL PROTECTED]> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
