1 files changed, 7 insertions, 5 deletions
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index fda321d814d6..d859a5c36e70 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -694,6 +694,7 @@ int dccp_invalid_packet(struct sk_buff *skb)
 {
        const struct dccp_hdr *dh;
        unsigned int cscov;
+        u8 dccph_doff;
        if (skb->pkt_type != PACKET_HOST)
                return 1;
@@ -715,18 +716,19 @@ int dccp_invalid_packet(struct sk_buff *skb)
        /*
         * If P.Data Offset is too small for packet type, drop packet and return
         */
-        if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
+        dccph_doff = dh->dccph_doff;
-                DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);
+        if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
+                DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
                return 1;
        }
        /*
         * If P.Data Offset is too too large for packet, drop packet and return
         */
-        if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {
+        if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
-                DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);
+                DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
                return 1;
        }
+        dh = dccp_hdr(skb);
        /*
         * If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
         * has short sequence numbers), drop packet and return

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index fda321d814d6..d859a5c36e70 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c
@@ -694,6 +694,7 @@ int dccp_invalid_packet(struct sk_buff *skb)
694	{	694	{
695	const struct dccp_hdr *dh;	695	const struct dccp_hdr *dh;
696	unsigned int cscov;	696	unsigned int cscov;
		697	u8 dccph_doff;
697		698
698	if (skb->pkt_type != PACKET_HOST)	699	if (skb->pkt_type != PACKET_HOST)
699	return 1;	700	return 1;
@@ -715,18 +716,19 @@ int dccp_invalid_packet(struct sk_buff *skb)
715	/*	716	/*
716	* If P.Data Offset is too small for packet type, drop packet and return	717	* If P.Data Offset is too small for packet type, drop packet and return
717	*/	718	*/
718	if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {	719	dccph_doff = dh->dccph_doff;
719	DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);	720	if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
		721	DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
720	return 1;	722	return 1;
721	}	723	}
722	/*	724	/*
723	* If P.Data Offset is too too large for packet, drop packet and return	725	* If P.Data Offset is too too large for packet, drop packet and return
724	*/	726	*/
725	if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {	727	if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
726	DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);	728	DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
727	return 1;	729	return 1;
728	}	730	}
729		731	dh = dccp_hdr(skb);
730	/*	732	/*
731	* If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet	733	* If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
732	* has short sequence numbers), drop packet and return	734	* has short sequence numbers), drop packet and return