aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/xfrm6_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv6/xfrm6_policy.c')
-rw-r--r--net/ipv6/xfrm6_policy.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index b4b16a43f277..3a3c677bc0f2 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -157,7 +157,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
157 ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); 157 ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr);
158 ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); 158 ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr);
159 159
160 while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { 160 while (nh + offset + 1 < skb->data ||
161 pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
161 nh = skb_network_header(skb); 162 nh = skb_network_header(skb);
162 exthdr = (struct ipv6_opt_hdr *)(nh + offset); 163 exthdr = (struct ipv6_opt_hdr *)(nh + offset);
163 164
@@ -177,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
177 case IPPROTO_TCP: 178 case IPPROTO_TCP:
178 case IPPROTO_SCTP: 179 case IPPROTO_SCTP:
179 case IPPROTO_DCCP: 180 case IPPROTO_DCCP:
180 if (!onlyproto && pskb_may_pull(skb, nh + offset + 4 - skb->data)) { 181 if (!onlyproto && (nh + offset + 4 < skb->data ||
182 pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
181 __be16 *ports = (__be16 *)exthdr; 183 __be16 *ports = (__be16 *)exthdr;
182 184
183 fl->fl_ip_sport = ports[!!reverse]; 185 fl->fl_ip_sport = ports[!!reverse];
generated by cgit v1.2.2 (git 2.25.0) at 2026-01-09 06:32:03 -0500