Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says: ==================== The following patchset contains a late fix for IPVS: * Fix crash when trying to remove the transport header with non-linear skbuffs, this was introduced in 3.6-rc. Patch from Peter Christensen via the IPVS folks. I'll pass this to -stable once this hits mainstream. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-05-30 20:56:09 -0400
committer: David S. Miller <davem@davemloft.net> 2014-05-30 20:56:09 -0400
commit: dbfc4b698ab83494eb8a03f5f3c478cec29a4f62 (patch)
tree: f04719877ba135dcc38335c0e9f2323f7c3d742a
parent: 554215c5ca08d196ed48a66693e7fc6e5f81f00e (diff)
parent: f44a5f45f544561302e855e7bd104e5f506ec01b (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4f26ee46b51f..3d2d2c8108ca 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1392,15 +1392,19 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        if (ipip) {
                __be32 info = ic->un.gateway;
+                __u8 type = ic->type;
+                __u8 code = ic->code;
                /* Update the MTU */
                if (ic->type == ICMP_DEST_UNREACH &&
                    ic->code == ICMP_FRAG_NEEDED) {
                        struct ip_vs_dest *dest = cp->dest;
                        u32 mtu = ntohs(ic->un.frag.mtu);
+                        __be16 frag_off = cih->frag_off;
                        /* Strip outer IP and ICMP, go to IPIP header */
-                        __skb_pull(skb, ihl + sizeof(_icmph));
+                        if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
+                                goto ignore_ipip;
                        offset2 -= ihl + sizeof(_icmph);
                        skb_reset_network_header(skb);
                        IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
@@ -1408,7 +1412,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                        ipv4_update_pmtu(skb, dev_net(skb->dev),
                                         mtu, 0, 0, 0, 0);
                        /* Client uses PMTUD? */
-                        if (!(cih->frag_off & htons(IP_DF)))
+                        if (!(frag_off & htons(IP_DF)))
                                goto ignore_ipip;
                        /* Prefer the resulting PMTU */
                        if (dest) {
@@ -1427,12 +1431,13 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                /* Strip outer IP, ICMP and IPIP, go to IP header of
                 * original request.
                 */
-                __skb_pull(skb, offset2);
+                if (pskb_pull(skb, offset2) == NULL)
+                        goto ignore_ipip;
                skb_reset_network_header(skb);
                IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
                        &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
-                        ic->type, ic->code, ntohl(info));
+                        type, code, ntohl(info));
-                icmp_send(skb, ic->type, ic->code, info);
+                icmp_send(skb, type, code, info);
                /* ICMP can be shorter but anyways, account it */
                ip_vs_out_stats(cp, skb);
author	David S. Miller <davem@davemloft.net>	2014-05-30 20:56:09 -0400
committer	David S. Miller <davem@davemloft.net>	2014-05-30 20:56:09 -0400
commit	dbfc4b698ab83494eb8a03f5f3c478cec29a4f62 (patch)
tree	f04719877ba135dcc38335c0e9f2323f7c3d742a
parent	554215c5ca08d196ed48a66693e7fc6e5f81f00e (diff)
parent	f44a5f45f544561302e855e7bd104e5f506ec01b (diff)