From patchwork Fri Jan 18 12:05:03 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: 
 =?utf-8?b?WU9TSElGVUpJIEhpZGVha2kgLyDlkInol6Toi7HmmI4=?=
 <yoshfuji@linux-ipv6.org>
X-Patchwork-Id: 213601
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 68D722C007A
	for <patchwork-incoming@ozlabs.org>;
	Fri, 18 Jan 2013 23:05:11 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751374Ab3ARMFG (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 18 Jan 2013 07:05:06 -0500
Received: from 94.43.138.210.xn.2iij.net ([210.138.43.94]:45595 "EHLO
	mail.st-paulia.net" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751123Ab3ARMFE (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 18 Jan 2013 07:05:04 -0500
Received: from [192.168.2.160] (unknown [192.168.2.160])
	by mail.st-paulia.net (Postfix) with ESMTPSA id E39191BDBF;
	Fri, 18 Jan 2013 21:05:03 +0900 (JST)
Message-ID: <50F93A6F.9020303@linux-ipv6.org>
Date: Fri, 18 Jan 2013 21:05:03 +0900
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Organization: USAGI Project
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: David Miller <davem@davemloft.net>, netdev <netdev@vger.kernel.org>
CC: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Subject: [PATCH net-next] ndisc: Check NS message length before access.
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Check message length before accessing "target" field,
as we do for other types.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
---
 net/ipv6/ndisc.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 429622d..350f860 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -671,6 +671,11 @@ static void ndisc_recv_ns(struct sk_buff *skb)
 	bool inc;
 	int is_router = -1;
 
+	if (skb->len < sizeof(struct nd_msg)) {
+		ND_PRINTK(2, warn, "NS: packet too short\n");
+		return;
+	}
+
 	if (ipv6_addr_is_multicast(&msg->target)) {
 		ND_PRINTK(2, warn, "NS: multicast target address\n");
 		return;