aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2010-12-21 15:43:16 -0500
committerDavid S. Miller <davem@davemloft.net>2010-12-21 15:43:16 -0500
commitda521b2c4f046383bc8941604174bc0e8bffb430 (patch)
treee3678d5af507054c86f1d913ad1599f4afee1c7d /include
parentaa3e219997e4b949be4199660936099ded0b401f (diff)
net: Fix range checks in tcf_valid_offset().
This function has three bugs: 1) The offset should be valid most of the time, this is just a sanity check, therefore we should use "likely" not "unlikely" 2) This is the only place where we can check for arithmetic overflow of the pointer plus the length. 3) The existing range checks are off by one, the valid range is skb->head to skb_tail_pointer(), inclusive. Based almost entirely upon a patch by Ralph Loader. Reported-by: Ralph Loader <suckfish@ihug.co.nz> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/net/pkt_cls.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index dd3031aed9d5..9fcc680ab6b9 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -323,7 +323,9 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer)
323static inline int tcf_valid_offset(const struct sk_buff *skb, 323static inline int tcf_valid_offset(const struct sk_buff *skb,
324 const unsigned char *ptr, const int len) 324 const unsigned char *ptr, const int len)
325{ 325{
326 return unlikely((ptr + len) < skb_tail_pointer(skb) && ptr > skb->head); 326 return likely((ptr + len) <= skb_tail_pointer(skb) &&
327 ptr >= skb->head &&
328 (ptr <= (ptr + len)));
327} 329}
328 330
329#ifdef CONFIG_NET_CLS_IND 331#ifdef CONFIG_NET_CLS_IND