diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-08-21 03:06:37 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-08-21 23:58:13 -0400 |
commit | d92a7db710c32db826a00ba9bc7a22e741d5041e (patch) | |
tree | 800eeede84fea9ab9397b7a1a326629cf3c45bc8 /net/802/psnap.c | |
parent | 39dad26c37fdb1382e4173172a2704fa278f7fd6 (diff) |
[SNAP]: Check packet length before reading
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.
Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.
Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/802/psnap.c')
-rw-r--r-- | net/802/psnap.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/net/802/psnap.c b/net/802/psnap.c index 04ee43e7538..31128cb92a2 100644 --- a/net/802/psnap.c +++ b/net/802/psnap.c | |||
@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, | |||
55 | .type = __constant_htons(ETH_P_SNAP), | 55 | .type = __constant_htons(ETH_P_SNAP), |
56 | }; | 56 | }; |
57 | 57 | ||
58 | if (unlikely(!pskb_may_pull(skb, 5))) | ||
59 | goto drop; | ||
60 | |||
58 | rcu_read_lock(); | 61 | rcu_read_lock(); |
59 | proto = find_snap_client(skb_transport_header(skb)); | 62 | proto = find_snap_client(skb_transport_header(skb)); |
60 | if (proto) { | 63 | if (proto) { |
@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, | |||
62 | skb->transport_header += 5; | 65 | skb->transport_header += 5; |
63 | skb_pull_rcsum(skb, 5); | 66 | skb_pull_rcsum(skb, 5); |
64 | rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); | 67 | rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); |
65 | } else { | ||
66 | skb->sk = NULL; | ||
67 | kfree_skb(skb); | ||
68 | rc = 1; | ||
69 | } | 68 | } |
70 | |||
71 | rcu_read_unlock(); | 69 | rcu_read_unlock(); |
70 | |||
71 | if (unlikely(!proto)) | ||
72 | goto drop; | ||
73 | |||
74 | out: | ||
72 | return rc; | 75 | return rc; |
76 | |||
77 | drop: | ||
78 | kfree_skb(skb); | ||
79 | goto out; | ||
73 | } | 80 | } |
74 | 81 | ||
75 | /* | 82 | /* |