aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2013-02-08 13:48:21 -0500
committerDavid S. Miller <davem@davemloft.net>2013-02-10 20:39:39 -0500
commit044453b3efdc90bdd5feffe74b99d95dec70ac43 (patch)
tree62f3107f82879cc5aeec7cf02f39f7e37de07a41
parent839c8cc32bc252345f4d5767d2d6cf695f2124ab (diff)
arp: fix possible crash in arp_rcv()
We should call skb_share_check() before pskb_may_pull(), or we can crash in pskb_expand_head() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/arp.c21
1 files changed, 11 insertions, 10 deletions
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 9547a273b9e9..ded146b217f1 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -928,24 +928,25 @@ static void parp_redo(struct sk_buff *skb)
928static int arp_rcv(struct sk_buff *skb, struct net_device *dev, 928static int arp_rcv(struct sk_buff *skb, struct net_device *dev,
929 struct packet_type *pt, struct net_device *orig_dev) 929 struct packet_type *pt, struct net_device *orig_dev)
930{ 930{
931 struct arphdr *arp; 931 const struct arphdr *arp;
932
933 if (dev->flags & IFF_NOARP ||
934 skb->pkt_type == PACKET_OTHERHOST ||
935 skb->pkt_type == PACKET_LOOPBACK)
936 goto freeskb;
937
938 skb = skb_share_check(skb, GFP_ATOMIC);
939 if (!skb)
940 goto out_of_mem;
932 941
933 /* ARP header, plus 2 device addresses, plus 2 IP addresses. */ 942 /* ARP header, plus 2 device addresses, plus 2 IP addresses. */
934 if (!pskb_may_pull(skb, arp_hdr_len(dev))) 943 if (!pskb_may_pull(skb, arp_hdr_len(dev)))
935 goto freeskb; 944 goto freeskb;
936 945
937 arp = arp_hdr(skb); 946 arp = arp_hdr(skb);
938 if (arp->ar_hln != dev->addr_len || 947 if (arp->ar_hln != dev->addr_len || arp->ar_pln != 4)
939 dev->flags & IFF_NOARP ||
940 skb->pkt_type == PACKET_OTHERHOST ||
941 skb->pkt_type == PACKET_LOOPBACK ||
942 arp->ar_pln != 4)
943 goto freeskb; 948 goto freeskb;
944 949
945 skb = skb_share_check(skb, GFP_ATOMIC);
946 if (skb == NULL)
947 goto out_of_mem;
948
949 memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); 950 memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
950 951
951 return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process); 952 return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);