aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJesper Dangaard Brouer <hawk@comx.dk>2009-02-06 04:59:12 -0500
committerDavid S. Miller <davem@davemloft.net>2009-02-06 04:59:12 -0500
commit2783ef23128ad0a4b34e4121c1f7ff664785712f (patch)
tree1e0ada9b370ffc967b138dfb7d7c5464a0d4f438
parentefc683fc2a692735029067b4f939af2a3625e31d (diff)
udp: Fix potential wrong ip_hdr(skb) pointers
Like the UDP header fix, pskb_may_pull() can potentially alter the SKB buffer. Thus the saddr and daddr, pointers may point to the old skb->data buffer. I haven't seen corruptions, as its only seen if the old skb->data buffer were reallocated by another user and written into very quickly (or poison'd by SLAB debugging). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/udp.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index cc3a0a06c004..c47c989cb1fb 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1234,8 +1234,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
1234 struct udphdr *uh; 1234 struct udphdr *uh;
1235 unsigned short ulen; 1235 unsigned short ulen;
1236 struct rtable *rt = (struct rtable*)skb->dst; 1236 struct rtable *rt = (struct rtable*)skb->dst;
1237 __be32 saddr = ip_hdr(skb)->saddr; 1237 __be32 saddr, daddr;
1238 __be32 daddr = ip_hdr(skb)->daddr;
1239 struct net *net = dev_net(skb->dev); 1238 struct net *net = dev_net(skb->dev);
1240 1239
1241 /* 1240 /*
@@ -1259,6 +1258,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
1259 if (udp4_csum_init(skb, uh, proto)) 1258 if (udp4_csum_init(skb, uh, proto))
1260 goto csum_error; 1259 goto csum_error;
1261 1260
1261 saddr = ip_hdr(skb)->saddr;
1262 daddr = ip_hdr(skb)->daddr;
1263
1262 if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST)) 1264 if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
1263 return __udp4_lib_mcast_deliver(net, skb, uh, 1265 return __udp4_lib_mcast_deliver(net, skb, uh,
1264 saddr, daddr, udptable); 1266 saddr, daddr, udptable);