diff options
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/xfrm6_policy.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 30caa289c5db..f10b9400b6d7 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c | |||
| @@ -178,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) | |||
| 178 | return; | 178 | return; |
| 179 | 179 | ||
| 180 | case IPPROTO_ICMPV6: | 180 | case IPPROTO_ICMPV6: |
| 181 | if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) { | 181 | if (!onlyproto && (nh + offset + 2 < skb->data || |
| 182 | pskb_may_pull(skb, nh + offset + 2 - skb->data))) { | ||
| 182 | u8 *icmp; | 183 | u8 *icmp; |
| 183 | 184 | ||
| 184 | nh = skb_network_header(skb); | 185 | nh = skb_network_header(skb); |
| @@ -192,7 +193,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) | |||
| 192 | #if IS_ENABLED(CONFIG_IPV6_MIP6) | 193 | #if IS_ENABLED(CONFIG_IPV6_MIP6) |
| 193 | case IPPROTO_MH: | 194 | case IPPROTO_MH: |
| 194 | offset += ipv6_optlen(exthdr); | 195 | offset += ipv6_optlen(exthdr); |
| 195 | if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) { | 196 | if (!onlyproto && (nh + offset + 3 < skb->data || |
| 197 | pskb_may_pull(skb, nh + offset + 3 - skb->data))) { | ||
| 196 | struct ip6_mh *mh; | 198 | struct ip6_mh *mh; |
| 197 | 199 | ||
| 198 | nh = skb_network_header(skb); | 200 | nh = skb_network_header(skb); |