Message ID | 1280912124-30374-1-git-send-email-xiaosuo@gmail.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote: > The packet length should be checked before the packet data is dereferenced. > > Signed-off-by: Changli Gao <xiaosuo@gmail.com> > --- > net/sched/cls_rsvp.h | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h > index dd9414e..4fa119d 100644 > --- a/net/sched/cls_rsvp.h > +++ b/net/sched/cls_rsvp.h > @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, > u8 tunnelid = 0; > u8 *xprt; > #if RSVP_DST_LEN == 4 > - struct ipv6hdr *nhptr = ipv6_hdr(skb); > + struct ipv6hdr *nhptr; > + > + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) > + return -1; > + nhptr = ipv6_hdr(skb); > #else > struct iphdr *nhptr = ip_hdr(skb); > + > + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) > + return -1; > + nhptr = ip_hdr(skb); > #endif Maybe a good time to move nhptr declaration outside #if since it is used in #else as well. Otherwise: Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 4, 2010 at 9:42 PM, jamal <hadi@cyberus.ca> wrote: > On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote: >> The packet length should be checked before the packet data is dereferenced. >> >> Signed-off-by: Changli Gao <xiaosuo@gmail.com> >> --- >> net/sched/cls_rsvp.h | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h >> index dd9414e..4fa119d 100644 >> --- a/net/sched/cls_rsvp.h >> +++ b/net/sched/cls_rsvp.h >> @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, >> u8 tunnelid = 0; >> u8 *xprt; >> #if RSVP_DST_LEN == 4 >> - struct ipv6hdr *nhptr = ipv6_hdr(skb); >> + struct ipv6hdr *nhptr; >> + >> + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) >> + return -1; >> + nhptr = ipv6_hdr(skb); >> #else >> struct iphdr *nhptr = ip_hdr(skb); >> + >> + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) >> + return -1; >> + nhptr = ip_hdr(skb); >> #endif > > Maybe a good time to move nhptr declaration outside #if since it is used > in #else as well. > They are not the same type. I am afraid that it won't work.
On Wed, Aug 4, 2010 at 9:44 PM, Changli Gao <xiaosuo@gmail.com> wrote: > On Wed, Aug 4, 2010 at 9:42 PM, jamal <hadi@cyberus.ca> wrote: >> On Wed, 2010-08-04 at 16:55 +0800, Changli Gao wrote: >>> The packet length should be checked before the packet data is dereferenced. >>> >>> Signed-off-by: Changli Gao <xiaosuo@gmail.com> >>> --- >>> net/sched/cls_rsvp.h | 10 +++++++++- >>> 1 file changed, 9 insertions(+), 1 deletion(-) >>> diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h >>> index dd9414e..4fa119d 100644 >>> --- a/net/sched/cls_rsvp.h >>> +++ b/net/sched/cls_rsvp.h >>> @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, >>> u8 tunnelid = 0; >>> u8 *xprt; >>> #if RSVP_DST_LEN == 4 >>> - struct ipv6hdr *nhptr = ipv6_hdr(skb); >>> + struct ipv6hdr *nhptr; >>> + >>> + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) >>> + return -1; >>> + nhptr = ipv6_hdr(skb); >>> #else >>> struct iphdr *nhptr = ip_hdr(skb); >>> + >>> + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) >>> + return -1; >>> + nhptr = ip_hdr(skb); >>> #endif >> >> Maybe a good time to move nhptr declaration outside #if since it is used >> in #else as well. >> > > They are not the same type. I am afraid that it won't work. > I'll respin it with the routine pskb_network_may_pull(). Thanks.
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index dd9414e..4fa119d 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, u8 tunnelid = 0; u8 *xprt; #if RSVP_DST_LEN == 4 - struct ipv6hdr *nhptr = ipv6_hdr(skb); + struct ipv6hdr *nhptr; + + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) + return -1; + nhptr = ipv6_hdr(skb); #else struct iphdr *nhptr = ip_hdr(skb); + + if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*nhptr))) + return -1; + nhptr = ip_hdr(skb); #endif restart:
The packet length should be checked before the packet data is dereferenced. Signed-off-by: Changli Gao <xiaosuo@gmail.com> --- net/sched/cls_rsvp.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html