diff options
author | Eric Dumazet <edumazet@google.com> | 2013-02-08 13:48:21 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-02-10 20:39:39 -0500 |
commit | 044453b3efdc90bdd5feffe74b99d95dec70ac43 (patch) | |
tree | 62f3107f82879cc5aeec7cf02f39f7e37de07a41 | |
parent | 839c8cc32bc252345f4d5767d2d6cf695f2124ab (diff) |
arp: fix possible crash in arp_rcv()
We should call skb_share_check() before pskb_may_pull(), or we
can crash in pskb_expand_head()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/arp.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index 9547a273b9e9..ded146b217f1 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c | |||
@@ -928,24 +928,25 @@ static void parp_redo(struct sk_buff *skb) | |||
928 | static int arp_rcv(struct sk_buff *skb, struct net_device *dev, | 928 | static int arp_rcv(struct sk_buff *skb, struct net_device *dev, |
929 | struct packet_type *pt, struct net_device *orig_dev) | 929 | struct packet_type *pt, struct net_device *orig_dev) |
930 | { | 930 | { |
931 | struct arphdr *arp; | 931 | const struct arphdr *arp; |
932 | |||
933 | if (dev->flags & IFF_NOARP || | ||
934 | skb->pkt_type == PACKET_OTHERHOST || | ||
935 | skb->pkt_type == PACKET_LOOPBACK) | ||
936 | goto freeskb; | ||
937 | |||
938 | skb = skb_share_check(skb, GFP_ATOMIC); | ||
939 | if (!skb) | ||
940 | goto out_of_mem; | ||
932 | 941 | ||
933 | /* ARP header, plus 2 device addresses, plus 2 IP addresses. */ | 942 | /* ARP header, plus 2 device addresses, plus 2 IP addresses. */ |
934 | if (!pskb_may_pull(skb, arp_hdr_len(dev))) | 943 | if (!pskb_may_pull(skb, arp_hdr_len(dev))) |
935 | goto freeskb; | 944 | goto freeskb; |
936 | 945 | ||
937 | arp = arp_hdr(skb); | 946 | arp = arp_hdr(skb); |
938 | if (arp->ar_hln != dev->addr_len || | 947 | if (arp->ar_hln != dev->addr_len || arp->ar_pln != 4) |
939 | dev->flags & IFF_NOARP || | ||
940 | skb->pkt_type == PACKET_OTHERHOST || | ||
941 | skb->pkt_type == PACKET_LOOPBACK || | ||
942 | arp->ar_pln != 4) | ||
943 | goto freeskb; | 948 | goto freeskb; |
944 | 949 | ||
945 | skb = skb_share_check(skb, GFP_ATOMIC); | ||
946 | if (skb == NULL) | ||
947 | goto out_of_mem; | ||
948 | |||
949 | memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); | 950 | memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); |
950 | 951 | ||
951 | return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process); | 952 | return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process); |