forked from Minki/linux
4f0c40d944
Dccp verifies packet integrity, including length, at initial rcv in
dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.
A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
skb_copy_datagram_msg interprets this as a negative value, so
(correctly) fails with EFAULT. The negative length is reported in
ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.
Introduce an sk_receive_skb variant that caps how small a filter
program can trim packets, and call this in dccp with the header
length. Excessively trimmed packets are now processed normally and
queued for reception as 0B payloads.
Fixes:
|
||
---|---|---|
.. | ||
ccids | ||
ackvec.c | ||
ackvec.h | ||
ccid.c | ||
ccid.h | ||
dccp.h | ||
diag.c | ||
feat.c | ||
feat.h | ||
input.c | ||
ipv4.c | ||
ipv6.c | ||
ipv6.h | ||
Kconfig | ||
Makefile | ||
minisocks.c | ||
options.c | ||
output.c | ||
probe.c | ||
proto.c | ||
qpolicy.c | ||
sysctl.c | ||
timer.c |