From patchwork Fri May 31 02:39:29 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Horman <horms@verge.net.au>
X-Patchwork-Id: 247829
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id BAC472C0099
	for <incoming@patchwork.ozlabs.org>;
	Fri, 31 May 2013 12:39:00 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752668Ab3EaCi6 (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Thu, 30 May 2013 22:38:58 -0400
Received: from kirsty.vergenet.net ([202.4.237.240]:41510 "EHLO
	kirsty.vergenet.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751684Ab3EaCi6 (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Thu, 30 May 2013 22:38:58 -0400
Received: from vergenet.net (p2155-ipngn4501marunouchi.tokyo.ocn.ne.jp
	[153.135.240.155])
	by kirsty.vergenet.net (Postfix) with ESMTP id 3D1A6266CEF;
	Fri, 31 May 2013 12:38:57 +1000 (EST)
Received: by vergenet.net (Postfix, from userid 7100)
	id 9D2F27C1B59; Fri, 31 May 2013 11:39:40 +0900 (JST)
From: Simon Horman <horms@verge.net.au>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
	Chen Gang <gang.chen@asianux.com>, Simon Horman <horms@verge.net.au>
Subject: [PATCH net-next v3] netfilter: Correct calculation using skb->tail
	and skb-network_header
Date: Fri, 31 May 2013 11:39:29 +0900
Message-Id: <1369967969-32375-1-git-send-email-horms@verge.net.au>
X-Mailer: git-send-email 1.7.10.4
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This corrects an regression introduced by "net: Use 16bits for *_headers
fields of struct skbuff" when NET_SKBUFF_DATA_USES_OFFSET is not set. In
that case skb->tail will be a pointer whereas skb->network_header
will be an offset from head. This is corrected by using wrappers that
ensure that calculations are always made using pointers.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
v3
* Add net-next to subject prefix

v2
* Use skb_tail_pointer() to ensure the tail portion of the calculation is
  always a pointer - it is not if NET_SKBUFF_DATA_USES_OFFSET is not set.
---
 net/netfilter/nf_nat_helper.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_helper.c b/net/netfilter/nf_nat_helper.c
index 5fea563..85e20a9 100644
--- a/net/netfilter/nf_nat_helper.c
+++ b/net/netfilter/nf_nat_helper.c
@@ -104,7 +104,7 @@ static void mangle_contents(struct sk_buff *skb,
 	/* move post-replacement */
 	memmove(data + match_offset + rep_len,
 		data + match_offset + match_len,
-		skb->tail - (skb->network_header + dataoff +
+		skb_tail_pointer(skb) - (skb_network_header(skb) + dataoff +
 			     match_offset + match_len));
 
 	/* insert data from buffer */