ip_gre: fix a possible crash in parse_gre_header()

pskb_may_pull() can change skb->head, so we must init iph/greh after
calling it.

Bug added in commit c54419321455 (GRE: Refactor GRE tunneling code.)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 5 insertions, 3 deletions

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index e5dfd2843f28..987a4e5e07e2 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags)
 static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
                             bool *csum_err, int *hdr_len)
 {
-        struct iphdr *iph = ip_hdr(skb);
-        struct gre_base_hdr *greh;
+        unsigned int ip_hlen = ip_hdrlen(skb);
+        const struct gre_base_hdr *greh;
         __be32 *options;
 
         if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr))))
                 return -EINVAL;
 
-        greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2));
+        greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
         if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING)))
                 return -EINVAL;
 
@@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
         if (!pskb_may_pull(skb, *hdr_len))
                 return -EINVAL;
 
+        greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
+
         tpi->proto = greh->protocol;
 
         options = (__be32 *)(greh + 1);