[1/2] xfrm4: fix the ports decode of sctp protocol

Message ID	4A4D7393.1060303@cn.fujitsu.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Message-ID: <4A4D7393.1060303@cn.fujitsu.com> Date: Fri, 03 Jul 2009 10:57:23 +0800 From: Wei Yongjun <yjwei@cn.fujitsu.com> User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Herbert Xu <herbert@gondor.apana.org.au>, David Miller <davem@davemloft.net> CC: Netdev <netdev@vger.kernel.org> Subject: [PATCH 1/2] xfrm4: fix the ports decode of sctp protocol Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

4A4D7393.1060303@cn.fujitsu.com

State

Accepted, archived

Delegated to:

David Miller

Headers

Message-ID: <4A4D7393.1060303@cn.fujitsu.com>
Date: Fri, 03 Jul 2009 10:57:23 +0800
From: Wei Yongjun <yjwei@cn.fujitsu.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Herbert Xu <herbert@gondor.apana.org.au>,
	David Miller <davem@davemloft.net>
CC: Netdev <netdev@vger.kernel.org>
Subject: [PATCH 1/2] xfrm4: fix the ports decode of sctp protocol
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: 7bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Wei Yongjun July 3, 2009, 2:57 a.m. UTC

The SCTP pushed the skb data above the sctp chunk header, so the check
of pskb_may_pull(skb, xprth + 4 - skb->data) in _decode_session4() will
never return 0 because xprth + 4 - skb->data < 0, the ports decode of
sctp will always fail.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
---
 net/ipv4/xfrm4_policy.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

Comments

Herbert Xu July 3, 2009, 3:48 a.m. UTC | #1

On Fri, Jul 03, 2009 at 10:57:23AM +0800, Wei Yongjun wrote:
> The SCTP pushed the skb data above the sctp chunk header, so the check
> of pskb_may_pull(skb, xprth + 4 - skb->data) in _decode_session4() will
> never return 0 because xprth + 4 - skb->data < 0, the ports decode of
> sctp will always fail.
> 
> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Longer term I wonder if we can move this stuff into the protocol
code, i.e., before they call xfrm_policy_check.

Cheers,

David Miller July 4, 2009, 2:10 a.m. UTC | #2

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Fri, 3 Jul 2009 11:48:49 +0800

> On Fri, Jul 03, 2009 at 10:57:23AM +0800, Wei Yongjun wrote:
>> The SCTP pushed the skb data above the sctp chunk header, so the check
>> of pskb_may_pull(skb, xprth + 4 - skb->data) in _decode_session4() will
>> never return 0 because xprth + 4 - skb->data < 0, the ports decode of
>> sctp will always fail.
>> 
>> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
> 
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied.

> Longer term I wonder if we can move this stuff into the protocol
> code, i.e., before they call xfrm_policy_check.

That ought to work.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 60d918c..0071ee6 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -136,7 +136,8 @@  _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 		case IPPROTO_TCP:
 		case IPPROTO_SCTP:
 		case IPPROTO_DCCP:
-			if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
+			if (xprth + 4 < skb->data ||
+			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
 				__be16 *ports = (__be16 *)xprth;
 
 				fl->fl_ip_sport = ports[!!reverse];

[1/2] xfrm4: fix the ports decode of sctp protocol

Commit Message

Comments

Patch