Message ID | 1318904666.2571.33.camel@edumazet-laptop |
---|---|
State | Superseded, archived |
Delegated to: | David Miller |
Headers | show |
Le mardi 18 octobre 2011 à 04:24 +0200, Eric Dumazet a écrit : > diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c > index eae542a..d0197e3 100644 > --- a/drivers/net/ppp/pptp.c > +++ b/drivers/net/ppp/pptp.c > @@ -305,11 +305,16 @@ static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb) > } > > header = (struct pptp_gre_header *)(skb->data); > + headersize = sizeof(*header); > > /* test if acknowledgement present */ > if (PPTP_GRE_IS_A(header->ver)) { > - __u32 ack = (PPTP_GRE_IS_S(header->flags)) ? > - header->ack : header->seq; /* ack in different place if S = 0 */ > + __u32 ack; > + > + if (!pskb_may_pull(skb, headersize)) > + goto drop; Oh well, this is buggy, I need to set header again, I'll send an updated patch header = (struct pptp_gre_header *)(skb->data); > + ack = (PPTP_GRE_IS_S(header->flags)) ? > + header->ack : header->seq; /* ack in different place if S = 0 */ > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c index eae542a..d0197e3 100644 --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c @@ -305,11 +305,16 @@ static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb) } header = (struct pptp_gre_header *)(skb->data); + headersize = sizeof(*header); /* test if acknowledgement present */ if (PPTP_GRE_IS_A(header->ver)) { - __u32 ack = (PPTP_GRE_IS_S(header->flags)) ? - header->ack : header->seq; /* ack in different place if S = 0 */ + __u32 ack; + + if (!pskb_may_pull(skb, headersize)) + goto drop; + ack = (PPTP_GRE_IS_S(header->flags)) ? + header->ack : header->seq; /* ack in different place if S = 0 */ ack = ntohl(ack); @@ -318,21 +323,18 @@ static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb) /* also handle sequence number wrap-around */ if (WRAPPED(ack, opt->ack_recv)) opt->ack_recv = ack; + } else { + headersize -= sizeof(header->ack); } - /* test if payload present */ if (!PPTP_GRE_IS_S(header->flags)) goto drop; - headersize = sizeof(*header); payload_len = ntohs(header->payload_len); seq = ntohl(header->seq); - /* no ack present? */ - if (!PPTP_GRE_IS_A(header->ver)) - headersize -= sizeof(header->ack); /* check for incomplete packet (length smaller than expected) */ - if (skb->len - headersize < payload_len) + if (!pskb_may_pull(skb, headersize + payload_len)) goto drop; payload = skb->data + headersize;