From patchwork Thu Oct 11 07:50:41 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [Precise/Quantal] bridge: Pull ip header into skb->data before
 looking into ip header.
From: Jesse Sung <jesse.sung@canonical.com>
X-Patchwork-Id: 190828
Message-Id: <1349941841-11798-1-git-send-email-jesse.sung@canonical.com>
To: kernel-team@lists.ubuntu.com
Cc: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Date: Thu, 11 Oct 2012 15:50:41 +0800

From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>

BugLink: https://launchpad.net/bugs/1065150

If lower layer driver leaves the ip header in the skb fragment, it needs to
be first pulled into skb->data before inspecting ip header length or ip version
number.

Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 net.git)

Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>

---
net/bridge/br_netfilter.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 577ea5d..7c1745d 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -245,6 +245,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
 	struct net_device *dev = skb->dev;
 	u32 len;
 
+	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+		goto inhdr_error;
+
 	iph = ip_hdr(skb);
 	opt = &(IPCB(skb)->opt);