From patchwork Fri Apr 5 01:41:27 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 234013 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 9D1992C009B for ; Fri, 5 Apr 2013 12:41:36 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161012Ab3DEBlb (ORCPT ); Thu, 4 Apr 2013 21:41:31 -0400 Received: from mail-pd0-f178.google.com ([209.85.192.178]:48137 "EHLO mail-pd0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932334Ab3DEBlb (ORCPT ); Thu, 4 Apr 2013 21:41:31 -0400 Received: by mail-pd0-f178.google.com with SMTP id w11so1717670pde.23 for ; Thu, 04 Apr 2013 18:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:subject:from:to:cc:date:content-type:x-mailer :content-transfer-encoding:mime-version; bh=/IUIuEYKQ9/DXr1OhXiPyVVvO0Zoj7oE8t9s9eGi2SM=; b=FLW6ss4eQD3i67RdbTvoU9LosKvFisgUbrl3ocYCr7PJrVv5VXqdzsnW6pfbybsYqN MvTD4hJ3fai8jTXnu9lE8VhST92B8PZ23UFNv13tHZKQckrQ7YvgoJImJYT2ILKRrF/q vDXNSyVi619vGaFvKqJ9B3F+t74a08g9ZqPsqGRkiab3br+a8+FsYM3s9iF1mkBDe1Bc jyjwdAw8bk5xKA3igiC+zMLQ2xHA8R2jXuzrhBlC4F53+t6DOX6bg6zqNCyL+XAg7QVH HPWDm7EUJC2bGlccfB1RADCqwvqIaRzgtQAErQVHnukRU2uJlTPW49nI6dgFfShfU01v rirA== X-Received: by 10.68.217.202 with SMTP id pa10mr12002714pbc.11.1365126090368; Thu, 04 Apr 2013 18:41:30 -0700 (PDT) Received: from [192.168.10.50] ([207.198.105.21]) by mx.google.com with ESMTPS id in5sm12226742pbc.20.2013.04.04.18.41.28 (version=SSLv3 cipher=RC4-SHA bits=128/128); Thu, 04 Apr 2013 18:41:29 -0700 (PDT) Message-ID: <1365126087.3308.17.camel@edumazet-glaptop> Subject: [PATCH net-next] ip_gre: fix a possible crash in parse_gre_header() From: Eric Dumazet To: David Miller Cc: netdev , Pravin B Shelar Date: Thu, 04 Apr 2013 18:41:27 -0700 X-Mailer: Evolution 3.2.3-0ubuntu6 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet pskb_may_pull() can change skb->head, so we must init iph/greh after calling it. Bug added in commit c54419321455 (GRE: Refactor GRE tunneling code.) Signed-off-by: Eric Dumazet Cc: Pravin B Shelar --- net/ipv4/ip_gre.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index e5dfd28..987a4e5 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags) static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, bool *csum_err, int *hdr_len) { - struct iphdr *iph = ip_hdr(skb); - struct gre_base_hdr *greh; + unsigned int ip_hlen = ip_hdrlen(skb); + const struct gre_base_hdr *greh; __be32 *options; if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr)))) return -EINVAL; - greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2)); + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING))) return -EINVAL; @@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!pskb_may_pull(skb, *hdr_len)) return -EINVAL; + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); + tpi->proto = greh->protocol; options = (__be32 *)(greh + 1);