diff options
author | David S. Miller <davem@davemloft.net> | 2010-12-21 15:43:16 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-12-21 15:43:16 -0500 |
commit | da521b2c4f046383bc8941604174bc0e8bffb430 (patch) | |
tree | e3678d5af507054c86f1d913ad1599f4afee1c7d /include | |
parent | aa3e219997e4b949be4199660936099ded0b401f (diff) |
net: Fix range checks in tcf_valid_offset().
This function has three bugs:
1) The offset should be valid most of the time, this is just
a sanity check, therefore we should use "likely" not "unlikely"
2) This is the only place where we can check for arithmetic overflow
of the pointer plus the length.
3) The existing range checks are off by one, the valid range is
skb->head to skb_tail_pointer(), inclusive.
Based almost entirely upon a patch by Ralph Loader.
Reported-by: Ralph Loader <suckfish@ihug.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/pkt_cls.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h index dd3031aed9d5..9fcc680ab6b9 100644 --- a/include/net/pkt_cls.h +++ b/include/net/pkt_cls.h | |||
@@ -323,7 +323,9 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer) | |||
323 | static inline int tcf_valid_offset(const struct sk_buff *skb, | 323 | static inline int tcf_valid_offset(const struct sk_buff *skb, |
324 | const unsigned char *ptr, const int len) | 324 | const unsigned char *ptr, const int len) |
325 | { | 325 | { |
326 | return unlikely((ptr + len) < skb_tail_pointer(skb) && ptr > skb->head); | 326 | return likely((ptr + len) <= skb_tail_pointer(skb) && |
327 | ptr >= skb->head && | ||
328 | (ptr <= (ptr + len))); | ||
327 | } | 329 | } |
328 | 330 | ||
329 | #ifdef CONFIG_NET_CLS_IND | 331 | #ifdef CONFIG_NET_CLS_IND |