Patchwork ipv6: check if dereference of ipv6 header is safe

mail settings
Submitter Hannes Frederic Sowa
Date Jan. 17, 2013, 3:56 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/213137/
State Superseded
Delegated to: David Miller
Headers show


Hannes Frederic Sowa - Jan. 17, 2013, 3:56 a.m.
When ipip6_rcv gets called we are sure that we have a full blown
ipv4 packet header in the linear skb buffer (this is checked by
xfrm4_mode_tunnel_input). Because we dereference fields of the inner
ipv6 header we should actually check for the length of the sum of the
ipv4 and ipv6 header.

If the skb is too short this packet could very well be destined for
another tunnel. So we should notify the caller accordingly (albeit
currently xfrm4_mode_tunnel_input does not care; this could need another

Signed-off-by: Hannes Frederic Sowa <>
 net/ipv6/sit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 2b4c15a..389d6e3 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -612,8 +612,8 @@  static int ipip6_rcv(struct sk_buff *skb)
 	struct ip_tunnel *tunnel;
 	int err;
-	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
-		goto out;
+	if (!pskb_may_pull(skb, sizeof(struct iphdr) + sizeof(struct ipv6hdr)))
+		return 1;
 	iph = ip_hdr(skb);