leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipv6: mip6: fix mip6_mh_filter()

Browse Source 
mip6_mh_filter() should not modify its input, or else its caller
would need to recompute ipv6_hdr() if skb->head is reallocated.

Use skb_header_pointer() instead of pskb_may_pull()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2012-09-25 22:01:28 +02:00 committed by David S. Miller
parent 78cc88c408
commit 96af69ea2a
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
net/ipv6/mip6.c
View File

@ -86,28 +86,30 @@ static int mip6_mh_len(int type)
static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb)
{ {
struct ip6_mh *mh; struct ip6_mh _hdr;
const struct ip6_mh *mh;
if (!pskb_may_pull(skb, (skb_transport_offset(skb)) + 8) || mh = skb_header_pointer(skb, skb_transport_offset(skb),
!pskb_may_pull(skb, (skb_transport_offset(skb) + sizeof(_hdr), &_hdr);
((skb_transport_header(skb)[1] + 1) << 3)))) if (!mh)
return -1; return -1;
mh = (struct ip6_mh *)skb_transport_header(skb); if (((mh->ip6mh_hdrlen + 1) << 3) > skb->len)
return -1;
if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) { if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) {
LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n", LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n",
mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type)); mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type));
mip6_param_prob(skb, 0, ((&mh->ip6mh_hdrlen) - mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_hdrlen) +
skb_network_header(skb))); skb_network_header_len(skb));
return -1; return -1;
} }
if (mh->ip6mh_proto != IPPROTO_NONE) { if (mh->ip6mh_proto != IPPROTO_NONE) {
LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n",
mh->ip6mh_proto); mh->ip6mh_proto);
mip6_param_prob(skb, 0, ((&mh->ip6mh_proto) - mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_proto) +
skb_network_header(skb))); skb_network_header_len(skb));
return -1; return -1;
} }