aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJesse Gross <jesse@nicira.com>2012-04-02 17:26:27 -0400
committerJesse Gross <jesse@nicira.com>2012-04-02 17:28:57 -0400
commitbf32fecdc1851ad9ca960f56771b798d17c26cf1 (patch)
tree039b57775613b56c84d2651071cfb7cc8cd536cf
parentdd775ae2549217d3ae09363e3edb305d0fa19928 (diff)
openvswitch: Add length check when retrieving TCP flags.
When collecting TCP flags we check that the IP header indicates that a TCP header is present but not that the packet is actually long enough to contain the header. This adds a check to prevent reading off the end of the packet. In practice, this is only likely to result in reading of bad data and not a crash due to the presence of struct skb_shared_info at the end of the packet. Signed-off-by: Jesse Gross <jesse@nicira.com>
-rw-r--r--net/openvswitch/flow.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 1252c3081ef1..2a11ec2383ee 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -183,7 +183,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb)
183 u8 tcp_flags = 0; 183 u8 tcp_flags = 0;
184 184
185 if (flow->key.eth.type == htons(ETH_P_IP) && 185 if (flow->key.eth.type == htons(ETH_P_IP) &&
186 flow->key.ip.proto == IPPROTO_TCP) { 186 flow->key.ip.proto == IPPROTO_TCP &&
187 likely(skb->len >= skb_transport_offset(skb) + sizeof(struct tcphdr))) {
187 u8 *tcp = (u8 *)tcp_hdr(skb); 188 u8 *tcp = (u8 *)tcp_hdr(skb);
188 tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK; 189 tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
189 } 190 }