aboutsummaryrefslogtreecommitdiffstats
path: root/net/802/psnap.c
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-08-21 03:06:37 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-08-21 23:58:13 -0400
commitd92a7db710c32db826a00ba9bc7a22e741d5041e (patch)
tree800eeede84fea9ab9397b7a1a326629cf3c45bc8 /net/802/psnap.c
parent39dad26c37fdb1382e4173172a2704fa278f7fd6 (diff)
[SNAP]: Check packet length before reading
The snap_rcv code reads 5 bytes so we should make sure that we have 5 bytes in the head before proceeding. Based on diagnosis and fix by Evgeniy Polyakov, reported by Alan J. Wylie. Patch also kills the skb->sk assignment before kfree_skb since it's redundant. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/802/psnap.c')
-rw-r--r--net/802/psnap.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/net/802/psnap.c b/net/802/psnap.c
index 04ee43e7538..31128cb92a2 100644
--- a/net/802/psnap.c
+++ b/net/802/psnap.c
@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
55 .type = __constant_htons(ETH_P_SNAP), 55 .type = __constant_htons(ETH_P_SNAP),
56 }; 56 };
57 57
58 if (unlikely(!pskb_may_pull(skb, 5)))
59 goto drop;
60
58 rcu_read_lock(); 61 rcu_read_lock();
59 proto = find_snap_client(skb_transport_header(skb)); 62 proto = find_snap_client(skb_transport_header(skb));
60 if (proto) { 63 if (proto) {
@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
62 skb->transport_header += 5; 65 skb->transport_header += 5;
63 skb_pull_rcsum(skb, 5); 66 skb_pull_rcsum(skb, 5);
64 rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); 67 rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
65 } else {
66 skb->sk = NULL;
67 kfree_skb(skb);
68 rc = 1;
69 } 68 }
70
71 rcu_read_unlock(); 69 rcu_read_unlock();
70
71 if (unlikely(!proto))
72 goto drop;
73
74out:
72 return rc; 75 return rc;
76
77drop:
78 kfree_skb(skb);
79 goto out;
73} 80}
74 81
75/* 82/*