diff options
author | Changli Gao <xiaosuo@gmail.com> | 2010-06-02 00:55:02 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-06-03 06:28:27 -0400 |
commit | db2c24175d149b55784f7cb2c303622ce962c1ae (patch) | |
tree | 37c34d4289975bcea43d50bf6eff405f74310db5 | |
parent | 3df95ce948dc8ceef07b49003ab944aa047f2a79 (diff) |
act_pedit: access skb->data safely
access skb->data safely
we should use skb_header_pointer() and skb_store_bits() to access skb->data to
handle small or non-linear skbs.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
net/sched/act_pedit.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/sched/act_pedit.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index fdbd0b7bd840..50e3d945e1f4 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c | |||
@@ -125,7 +125,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a, | |||
125 | { | 125 | { |
126 | struct tcf_pedit *p = a->priv; | 126 | struct tcf_pedit *p = a->priv; |
127 | int i, munged = 0; | 127 | int i, munged = 0; |
128 | u8 *pptr; | 128 | unsigned int off; |
129 | 129 | ||
130 | if (!(skb->tc_verd & TC_OK2MUNGE)) { | 130 | if (!(skb->tc_verd & TC_OK2MUNGE)) { |
131 | /* should we set skb->cloned? */ | 131 | /* should we set skb->cloned? */ |
@@ -134,7 +134,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a, | |||
134 | } | 134 | } |
135 | } | 135 | } |
136 | 136 | ||
137 | pptr = skb_network_header(skb); | 137 | off = skb_network_offset(skb); |
138 | 138 | ||
139 | spin_lock(&p->tcf_lock); | 139 | spin_lock(&p->tcf_lock); |
140 | 140 | ||
@@ -144,17 +144,17 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a, | |||
144 | struct tc_pedit_key *tkey = p->tcfp_keys; | 144 | struct tc_pedit_key *tkey = p->tcfp_keys; |
145 | 145 | ||
146 | for (i = p->tcfp_nkeys; i > 0; i--, tkey++) { | 146 | for (i = p->tcfp_nkeys; i > 0; i--, tkey++) { |
147 | u32 *ptr; | 147 | u32 *ptr, _data; |
148 | int offset = tkey->off; | 148 | int offset = tkey->off; |
149 | 149 | ||
150 | if (tkey->offmask) { | 150 | if (tkey->offmask) { |
151 | if (skb->len > tkey->at) { | 151 | char *d, _d; |
152 | char *j = pptr + tkey->at; | 152 | |
153 | offset += ((*j & tkey->offmask) >> | 153 | d = skb_header_pointer(skb, off + tkey->at, 1, |
154 | tkey->shift); | 154 | &_d); |
155 | } else { | 155 | if (!d) |
156 | goto bad; | 156 | goto bad; |
157 | } | 157 | offset += (*d & tkey->offmask) >> tkey->shift; |
158 | } | 158 | } |
159 | 159 | ||
160 | if (offset % 4) { | 160 | if (offset % 4) { |
@@ -169,9 +169,13 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a, | |||
169 | goto bad; | 169 | goto bad; |
170 | } | 170 | } |
171 | 171 | ||
172 | ptr = (u32 *)(pptr+offset); | 172 | ptr = skb_header_pointer(skb, off + offset, 4, &_data); |
173 | if (!ptr) | ||
174 | goto bad; | ||
173 | /* just do it, baby */ | 175 | /* just do it, baby */ |
174 | *ptr = ((*ptr & tkey->mask) ^ tkey->val); | 176 | *ptr = ((*ptr & tkey->mask) ^ tkey->val); |
177 | if (ptr == &_data) | ||
178 | skb_store_bits(skb, off + offset, ptr, 4); | ||
175 | munged++; | 179 | munged++; |
176 | } | 180 | } |
177 | 181 | ||