diff mbox

cls_rsvp: add sanity check for the packet length

Message ID 1280912124-30374-1-git-send-email-xiaosuo@gmail.com
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

Changli Gao Aug. 4, 2010, 8:55 a.m. UTC 
The packet length should be checked before the packet data is dereferenced.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
---
 net/sched/cls_rsvp.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

jamal Aug. 4, 2010, 1:42 p.m. UTC | #1 
On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote:
> The packet length should be checked before the packet data is dereferenced.
> 
> Signed-off-by: Changli Gao <xiaosuo@gmail.com>
> ---
>  net/sched/cls_rsvp.h |   10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
> index dd9414e..4fa119d 100644
> --- a/net/sched/cls_rsvp.h
> +++ b/net/sched/cls_rsvp.h
> @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
>  	u8 tunnelid = 0;
>  	u8 *xprt;
>  #if RSVP_DST_LEN == 4
> -	struct ipv6hdr *nhptr = ipv6_hdr(skb);
> +	struct ipv6hdr *nhptr;
> +
> +	if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
> +		return -1;
> +	nhptr = ipv6_hdr(skb);
>  #else
>  	struct iphdr *nhptr = ip_hdr(skb);
> +
> +	if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
> +		return -1;
> +	nhptr = ip_hdr(skb);
>  #endif

Maybe a good time to move nhptr declaration outside #if since it is used
in #else as well.

Otherwise:
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>

cheers,
jamal

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Changli Gao Aug. 4, 2010, 1:44 p.m. UTC | #2 
On Wed, Aug 4, 2010 at 9:42 PM, jamal <hadi@cyberus.ca> wrote:
> On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote:
>> The packet length should be checked before the packet data is dereferenced.
>>
>> Signed-off-by: Changli Gao <xiaosuo@gmail.com>
>> ---
>>  net/sched/cls_rsvp.h |   10 +++++++++-
>>  1 file changed, 9 insertions(+), 1 deletion(-)
>> diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
>> index dd9414e..4fa119d 100644
>> --- a/net/sched/cls_rsvp.h
>> +++ b/net/sched/cls_rsvp.h
>> @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
>>       u8 tunnelid = 0;
>>       u8 *xprt;
>>  #if RSVP_DST_LEN == 4
>> -     struct ipv6hdr *nhptr = ipv6_hdr(skb);
>> +     struct ipv6hdr *nhptr;
>> +
>> +     if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
>> +             return -1;
>> +     nhptr = ipv6_hdr(skb);
>>  #else
>>       struct iphdr *nhptr = ip_hdr(skb);
>> +
>> +     if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
>> +             return -1;
>> +     nhptr = ip_hdr(skb);
>>  #endif
>
> Maybe a good time to move nhptr declaration outside #if since it is used
> in #else as well.
>

They are not the same type. I am afraid that it won't work.
Changli Gao Aug. 4, 2010, 1:52 p.m. UTC | #3 
On Wed, Aug 4, 2010 at 9:44 PM, Changli Gao <xiaosuo@gmail.com> wrote:
> On Wed, Aug 4, 2010 at 9:42 PM, jamal <hadi@cyberus.ca> wrote:
>> On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote:
>>> The packet length should be checked before the packet data is dereferenced.
>>>
>>> Signed-off-by: Changli Gao <xiaosuo@gmail.com>
>>> ---
>>>  net/sched/cls_rsvp.h |   10 +++++++++-
>>>  1 file changed, 9 insertions(+), 1 deletion(-)
>>> diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
>>> index dd9414e..4fa119d 100644
>>> --- a/net/sched/cls_rsvp.h
>>> +++ b/net/sched/cls_rsvp.h
>>> @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
>>>       u8 tunnelid = 0;
>>>       u8 *xprt;
>>>  #if RSVP_DST_LEN == 4
>>> -     struct ipv6hdr *nhptr = ipv6_hdr(skb);
>>> +     struct ipv6hdr *nhptr;
>>> +
>>> +     if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
>>> +             return -1;
>>> +     nhptr = ipv6_hdr(skb);
>>>  #else
>>>       struct iphdr *nhptr = ip_hdr(skb);
>>> +
>>> +     if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
>>> +             return -1;
>>> +     nhptr = ip_hdr(skb);
>>>  #endif
>>
>> Maybe a good time to move nhptr declaration outside #if since it is used
>> in #else as well.
>>
>
> They are not the same type. I am afraid that it won't work.
>

I'll respin it with the routine pskb_network_may_pull(). Thanks.
diff mbox

Patch

diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index dd9414e..4fa119d 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -143,9 +143,17 @@  static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
 	u8 tunnelid = 0;
 	u8 *xprt;
 #if RSVP_DST_LEN == 4
-	struct ipv6hdr *nhptr = ipv6_hdr(skb);
+	struct ipv6hdr *nhptr;
+
+	if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
+		return -1;
+	nhptr = ipv6_hdr(skb);
 #else
 	struct iphdr *nhptr = ip_hdr(skb);
+
+	if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr)))
+		return -1;
+	nhptr = ip_hdr(skb);
 #endif
 
 restart: