diff mbox

[net-2.6] gre: fix improper error handling

Message ID 201107221326.10597.xeb@mail.ru
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

xeb@mail.ru July 22, 2011, 9:26 a.m. UTC 
Fix improper protocol err_handler, current implementation is fully 
unapplicable and may cause kernel crash due to double kfree_skb.

Signed-off-by: Dmitry Kozlov <xeb@mail.ru>
--
 net/ipv4/gre.c |   23 +++++++----------------
 1 files changed, 7 insertions(+), 16 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller July 22, 2011, 1:01 p.m. UTC | #1 
From: Dmitry Kozlov <xeb@mail.ru>
Date: Fri, 22 Jul 2011 13:26:10 +0400

> Fix improper protocol err_handler, current implementation is fully 
> unapplicable and may cause kernel crash due to double kfree_skb.
> 
> Signed-off-by: Dmitry Kozlov <xeb@mail.ru>

Your patch has been corrupted by your email client.

For example, it has changed tab characters into sequences of spaces.

This makes your patch unusable.

Please read Documentation/email-clients.txt to learn how to fix this,
and after fixing your setup send a test patch to yourself and try
to apply it just as we would when you post it here.

Only after this self-test passes, should you try to resubmit your
patch.

Thank you.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/ipv4/gre.c b/net/ipv4/gre.c
index c6933f2..a8126fe 100644
--- a/net/ipv4/gre.c
+++ b/net/ipv4/gre.c
@@ -15,6 +15,7 @@ 
 #include <linux/kmod.h>
 #include <linux/skbuff.h>
 #include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/netdevice.h>
 #include <linux/version.h>
 #include <linux/spinlock.h>
@@ -97,27 +98,17 @@  drop:
 static void gre_err(struct sk_buff *skb, u32 info)
 {
        const struct gre_protocol *proto;
-       u8 ver;
-
-       if (!pskb_may_pull(skb, 12))
-               goto drop;
-
-       ver = skb->data[1]&0x7f;
+       const struct iphdr *iph = (const struct iphdr *)skb->data;
+       u8 ver = skb->data[(iph->ihl<<2) + 1]&0x7f;
+
        if (ver >= GREPROTO_MAX)
-               goto drop;
+               return;
 
        rcu_read_lock();
        proto = rcu_dereference(gre_proto[ver]);
-       if (!proto || !proto->err_handler)
-               goto drop_unlock;
-       proto->err_handler(skb, info);
-       rcu_read_unlock();
-       return;
-
-drop_unlock:
+       if (proto && proto->err_handler)
+           proto->err_handler(skb, info);
        rcu_read_unlock();
-drop:
-       kfree_skb(skb);
 }
 
 static const struct net_protocol net_gre_protocol = {