Skip to content

Commit 20d1e67

Browse files
kerneltoastroxanan1996
authored andcommitted
rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
cve-pre CVE-2026-43500 commit-author David Howells <dhowells@redhat.com> commit 55b2984 Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK, ABORT, etc.. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer. Fixes: 1f27401 ("rxrpc: Fix potential UAF after skb_unshare() failure") Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 55b2984) Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
1 parent b0d4877 commit 20d1e67

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

net/rxrpc/call_event.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -401,7 +401,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb)
401401
if (skb) {
402402
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
403403

404-
if (sp->hdr.securityIndex != 0 &&
404+
if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
405+
sp->hdr.securityIndex != 0 &&
405406
skb_cloned(skb)) {
406407
/* Unshare the packet so that it can be
407408
* modified by in-place decryption.

0 commit comments

Comments
 (0)