CVE-2021-47515

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> seg6: fix the iif in the IPv6 socket control block<br /> <br /> When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving<br /> interface index into the IPv4 socket control block (v5.16-rc4,<br /> net/ipv4/ip_input.c line 510):<br /> <br /> IPCB(skb)-&gt;iif = skb-&gt;skb_iif;<br /> <br /> If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH<br /> header, the seg6_do_srh_encap(...) performs the required encapsulation.<br /> In this case, the seg6_do_srh_encap function clears the IPv6 socket control<br /> block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):<br /> <br /> memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));<br /> <br /> The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear<br /> IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29).<br /> <br /> Since the IPv6 socket control block and the IPv4 socket control block share<br /> the same memory area (skb-&gt;cb), the receiving interface index info is lost<br /> (IP6CB(skb)-&gt;iif is set to zero).<br /> <br /> As a side effect, that condition triggers a NULL pointer dereference if<br /> commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig<br /> netdev") is applied.<br /> <br /> To fix that issue, we set the IP6CB(skb)-&gt;iif with the index of the<br /> receiving interface once again.