From patchwork Tue Sep 25 20:01:28 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 186885 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 39C312C007C for ; Wed, 26 Sep 2012 06:01:39 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755218Ab2IYUBe (ORCPT ); Tue, 25 Sep 2012 16:01:34 -0400 Received: from mail-bk0-f46.google.com ([209.85.214.46]:52654 "EHLO mail-bk0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753652Ab2IYUBd (ORCPT ); Tue, 25 Sep 2012 16:01:33 -0400 Received: by bkcjk13 with SMTP id jk13so1487293bkc.19 for ; Tue, 25 Sep 2012 13:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:to:cc:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=4xx/IAjz6WdPHQ7vfzBHHkkj9eRT7c38zPS3o5wkqt0=; b=kUOBxi30y3J0/NbkmiaJBj2fDWnSsy66U/vAl6GkeRzLKdNP3/BQpnRQ2N+0ISpnop TND4zeIaJIocUMBa+g+qj/Btfo6qqzANdzAvN80eQ9Sk0Z58GOQV/T4thkGunuRYVLzK OXIx8kWJPVWgOr5rAz5apOh0PWVUn3mK/VM5jRY8eFwE2WVh1swOvHl+N2YdmAUFZXoZ k/sjeeVgrXtOHbHKh/K9lR7XOnTla4tk3iYOpsoVgOAx7GS3PWi1TNZd3SwUxwBs1Cxg 17CEEgG2rA6Rf23Zd0/mGE2J/uDEfYtESj6eSN7TcA04yOCRk9PV1bMso44vOhxI2Dwg iEbg== Received: by 10.205.126.2 with SMTP id gu2mr5832316bkc.40.1348603291916; Tue, 25 Sep 2012 13:01:31 -0700 (PDT) Received: from [172.28.90.49] ([172.28.90.49]) by mx.google.com with ESMTPS id s26sm1206582bks.13.2012.09.25.13.01.29 (version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 13:01:30 -0700 (PDT) Subject: [PATCH] ipv6: mip6: fix mip6_mh_filter() From: Eric Dumazet To: David Miller Cc: netdev Date: Tue, 25 Sep 2012 22:01:28 +0200 Message-ID: <1348603288.26828.3398.camel@edumazet-glaptop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet mip6_mh_filter() should not modify its input, or else its caller would need to recompute ipv6_hdr() if skb->head is reallocated. Use skb_header_pointer() instead of pskb_may_pull() Signed-off-by: Eric Dumazet --- net/ipv6/mip6.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index 5b087c3..0f9bdc5 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -86,28 +86,30 @@ static int mip6_mh_len(int type) static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) { - struct ip6_mh *mh; + struct ip6_mh _hdr; + const struct ip6_mh *mh; - if (!pskb_may_pull(skb, (skb_transport_offset(skb)) + 8) || - !pskb_may_pull(skb, (skb_transport_offset(skb) + - ((skb_transport_header(skb)[1] + 1) << 3)))) + mh = skb_header_pointer(skb, skb_transport_offset(skb), + sizeof(_hdr), &_hdr); + if (!mh) return -1; - mh = (struct ip6_mh *)skb_transport_header(skb); + if (((mh->ip6mh_hdrlen + 1) << 3) > skb->len) + return -1; if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n", mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type)); - mip6_param_prob(skb, 0, ((&mh->ip6mh_hdrlen) - - skb_network_header(skb))); + mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_hdrlen) + + skb_network_header_len(skb)); return -1; } if (mh->ip6mh_proto != IPPROTO_NONE) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", mh->ip6mh_proto); - mip6_param_prob(skb, 0, ((&mh->ip6mh_proto) - - skb_network_header(skb))); + mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_proto) + + skb_network_header_len(skb)); return -1; }