diff options
author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2009-07-02 12:59:49 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-07-03 22:10:10 -0400 |
commit | 59cae0092e4da753b5a2adb32933e0d1b223bcc5 (patch) | |
tree | b2578c0452504d63de9aeaf5029daae5cefef165 | |
parent | c615c9f3f3cea60279b1bb38e8ef27bd575ecd0c (diff) |
xfrm6: fix the proto and ports decode of sctp protocol
The SCTP pushed the skb above the sctp chunk header, so the
check of pskb_may_pull(skb, nh + offset + 1 - skb->data) in
_decode_session6() will never return 0 and the ports decode
of sctp will always fail. (nh + offset + 1 - skb->data < 0)
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv6/xfrm6_policy.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index b4b16a43f277..3a3c677bc0f2 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c | |||
@@ -157,7 +157,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) | |||
157 | ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); | 157 | ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); |
158 | ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); | 158 | ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); |
159 | 159 | ||
160 | while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { | 160 | while (nh + offset + 1 < skb->data || |
161 | pskb_may_pull(skb, nh + offset + 1 - skb->data)) { | ||
161 | nh = skb_network_header(skb); | 162 | nh = skb_network_header(skb); |
162 | exthdr = (struct ipv6_opt_hdr *)(nh + offset); | 163 | exthdr = (struct ipv6_opt_hdr *)(nh + offset); |
163 | 164 | ||
@@ -177,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) | |||
177 | case IPPROTO_TCP: | 178 | case IPPROTO_TCP: |
178 | case IPPROTO_SCTP: | 179 | case IPPROTO_SCTP: |
179 | case IPPROTO_DCCP: | 180 | case IPPROTO_DCCP: |
180 | if (!onlyproto && pskb_may_pull(skb, nh + offset + 4 - skb->data)) { | 181 | if (!onlyproto && (nh + offset + 4 < skb->data || |
182 | pskb_may_pull(skb, nh + offset + 4 - skb->data))) { | ||
181 | __be16 *ports = (__be16 *)exthdr; | 183 | __be16 *ports = (__be16 *)exthdr; |
182 | 184 | ||
183 | fl->fl_ip_sport = ports[!!reverse]; | 185 | fl->fl_ip_sport = ports[!!reverse]; |