From patchwork Sat Feb 9 04:48:21 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 219367 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 7C4E82C007C for ; Sat, 9 Feb 2013 15:48:34 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760655Ab3BIEsZ (ORCPT ); Fri, 8 Feb 2013 23:48:25 -0500 Received: from mail-da0-f49.google.com ([209.85.210.49]:53017 "EHLO mail-da0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760649Ab3BIEsY (ORCPT ); Fri, 8 Feb 2013 23:48:24 -0500 Received: by mail-da0-f49.google.com with SMTP id t11so2087221daj.8 for ; Fri, 08 Feb 2013 20:48:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:subject:from:to:cc:date:content-type:x-mailer :content-transfer-encoding:mime-version; bh=zb/G3TYN5gidT+VcI0/kVJoD+rvXowE4g5Qbsb7/GtI=; b=qZ06p12mX31RZ7+Mj+U1Vkn7hqvA8QnAXR8R26T4+q5RA/qtXTwNAnHiSXfzicpyLk T/7c7t2dr3DhSRRo7eiLqosvGEqDBbJua9Bi5/JiPKSVJnNScM5QNr0mJy0phk/oBuCI b4xqzSbJWUUgV7kCmzpJtF9cOhuKQB6TWMGB0INcAWGmLNgRrsGeiJHzqHCGTAirovji e8NES7K7S0P97pxyx82qMYn9Ro9aZ9k2+Jl6u1kOkKdWLKVjUuCn5SJH22CUIvSdIOma 7Sv8M2TZdIOcvVxXf9yO29mb7NecImjaUAze6STiVqnEe/2QRGFFLLA36wMoY66ffGKd rfSg== X-Received: by 10.68.203.202 with SMTP id ks10mr882863pbc.150.1360385304285; Fri, 08 Feb 2013 20:48:24 -0800 (PST) Received: from [192.168.1.119] (c-67-170-232-166.hsd1.ca.comcast.net. [67.170.232.166]) by mx.google.com with ESMTPS id id8sm348132pbc.38.2013.02.08.20.48.22 (version=SSLv3 cipher=RC4-SHA bits=128/128); Fri, 08 Feb 2013 20:48:23 -0800 (PST) Message-ID: <1360385301.6696.11.camel@edumazet-glaptop> Subject: [PATCH] arp: fix possible crash in arp_rcv() From: Eric Dumazet To: David Miller Cc: netdev Date: Fri, 08 Feb 2013 20:48:21 -0800 X-Mailer: Evolution 3.2.3-0ubuntu6 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet We should call skb_share_check() before pskb_may_pull(), or we can crash in pskb_expand_head() Signed-off-by: Eric Dumazet --- net/ipv4/arp.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index 9547a273..ded146b 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c @@ -928,24 +928,25 @@ static void parp_redo(struct sk_buff *skb) static int arp_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { - struct arphdr *arp; + const struct arphdr *arp; + + if (dev->flags & IFF_NOARP || + skb->pkt_type == PACKET_OTHERHOST || + skb->pkt_type == PACKET_LOOPBACK) + goto freeskb; + + skb = skb_share_check(skb, GFP_ATOMIC); + if (!skb) + goto out_of_mem; /* ARP header, plus 2 device addresses, plus 2 IP addresses. */ if (!pskb_may_pull(skb, arp_hdr_len(dev))) goto freeskb; arp = arp_hdr(skb); - if (arp->ar_hln != dev->addr_len || - dev->flags & IFF_NOARP || - skb->pkt_type == PACKET_OTHERHOST || - skb->pkt_type == PACKET_LOOPBACK || - arp->ar_pln != 4) + if (arp->ar_hln != dev->addr_len || arp->ar_pln != 4) goto freeskb; - skb = skb_share_check(skb, GFP_ATOMIC); - if (skb == NULL) - goto out_of_mem; - memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);