diff options
| author | Changli Gao <xiaosuo@gmail.com> | 2010-08-04 04:55:40 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-08-04 21:53:15 -0700 |
| commit | 12dc96d1673feabef98eed1b5ff37abaa67fbe64 (patch) | |
| tree | 4f92d2b0eac8e5e2ceedfe42ae0182302d28de65 | |
| parent | 4b95c3d40d7d9927438ed7b7b49c84c60e27b65b (diff) | |
| download | linux-3.10-12dc96d1673feabef98eed1b5ff37abaa67fbe64.tar.gz linux-3.10-12dc96d1673feabef98eed1b5ff37abaa67fbe64.tar.bz2 linux-3.10-12dc96d1673feabef98eed1b5ff37abaa67fbe64.zip | |
cls_rsvp: add sanity check for the packet length
The packet length should be checked before the packet data is dereferenced.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/sched/cls_rsvp.h | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index dd9414e4420..425a1790b04 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, u8 tunnelid = 0; u8 *xprt; #if RSVP_DST_LEN == 4 - struct ipv6hdr *nhptr = ipv6_hdr(skb); + struct ipv6hdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ipv6_hdr(skb); #else - struct iphdr *nhptr = ip_hdr(skb); + struct iphdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ip_hdr(skb); #endif restart: |