bridge: Fix IGMP3 report parsing

Message ID	20100408040709.GA19944@gondor.apana.org.au
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Thu, 8 Apr 2010 12:07:09 +0800 From: Herbert Xu <herbert@gondor.apana.org.au> To: David Miller <davem@davemloft.net> Cc: netdev@vger.kernel.org, banyeer@yahoo.com Subject: Re: bridge: Fix IGMP3 report parsing Message-ID: <20100408040709.GA19944@gondor.apana.org.au> References: <20100408012634.GC18649@gondor.apana.org.au> <20100407.205248.113724360.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100407.205248.113724360.davem@davemloft.net> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20100408040709.GA19944@gondor.apana.org.au

State

Accepted, archived

Delegated to:

David Miller

Headers

Date: Thu, 8 Apr 2010 12:07:09 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, banyeer@yahoo.com
Subject: Re: bridge: Fix IGMP3 report parsing
Message-ID: <20100408040709.GA19944@gondor.apana.org.au>
References: <20100408012634.GC18649@gondor.apana.org.au>
	<20100407.205248.113724360.davem@davemloft.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100407.205248.113724360.davem@davemloft.net>
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Herbert Xu April 8, 2010, 4:07 a.m. UTC

On Wed, Apr 07, 2010 at 08:52:48PM -0700, David Miller wrote:
> 
> If pskb_may_pull() actually does anything non-trivial,
> skb->data will change and you'll be referring to freed
> up memory.
> 
> That's probably why you had the grec assignment where
> you originally had it in the first place :-)

Heh, you're clearly more awake than I was :)

bridge: Fix IGMP3 report parsing

The IGMP3 report parsing is looking at the wrong address for
group records.  This patch fixes it.

Reported-by: Banyeer <banyeer@yahoo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,

Comments

David Miller April 8, 2010, 4:21 a.m. UTC | #1

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 8 Apr 2010 12:07:09 +0800

> On Wed, Apr 07, 2010 at 08:52:48PM -0700, David Miller wrote:
>> 
>> If pskb_may_pull() actually does anything non-trivial,
>> skb->data will change and you'll be referring to freed
>> up memory.
>> 
>> That's probably why you had the grec assignment where
>> you originally had it in the first place :-)
> 
> Heh, you're clearly more awake than I was :)

:-)

> bridge: Fix IGMP3 report parsing
> 
> The IGMP3 report parsing is looking at the wrong address for
> group records.  This patch fixes it.
> 
> Reported-by: Banyeer <banyeer@yahoo.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied, thanks Herbert.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 6980625..f29ada8 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -723,7 +723,7 @@  static int br_multicast_igmp3_report(struct net_bridge *br,
 		if (!pskb_may_pull(skb, len))
 			return -EINVAL;
 
-		grec = (void *)(skb->data + len);
+		grec = (void *)(skb->data + len - sizeof(*grec));
 		group = grec->grec_mca;
 		type = grec->grec_type;

bridge: Fix IGMP3 report parsing

Commit Message

Comments

Patch