diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-08-26 02:26:15 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-08-26 12:49:04 -0400 |
commit | e9278a475f845833b569ca47171e64fe48c616e0 (patch) | |
tree | dfc4fbbb8bcbcd0fee9c67d17a8c3366f4094959 /net/core | |
parent | 3d015565f316584139946a1c450d44209beefeb6 (diff) |
netpoll: fix incorrect access to skb data in __netpoll_rx
__netpoll_rx() doesnt properly handle skbs with small header
pskb_may_pull() or pskb_trim_rcsum() can change skb->data, we must
reload it.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r-- | net/core/netpoll.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/core/netpoll.c b/net/core/netpoll.c index adf84dd8c7b5..52622517e0d8 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c | |||
@@ -558,13 +558,14 @@ int __netpoll_rx(struct sk_buff *skb) | |||
558 | if (skb_shared(skb)) | 558 | if (skb_shared(skb)) |
559 | goto out; | 559 | goto out; |
560 | 560 | ||
561 | iph = (struct iphdr *)skb->data; | ||
562 | if (!pskb_may_pull(skb, sizeof(struct iphdr))) | 561 | if (!pskb_may_pull(skb, sizeof(struct iphdr))) |
563 | goto out; | 562 | goto out; |
563 | iph = (struct iphdr *)skb->data; | ||
564 | if (iph->ihl < 5 || iph->version != 4) | 564 | if (iph->ihl < 5 || iph->version != 4) |
565 | goto out; | 565 | goto out; |
566 | if (!pskb_may_pull(skb, iph->ihl*4)) | 566 | if (!pskb_may_pull(skb, iph->ihl*4)) |
567 | goto out; | 567 | goto out; |
568 | iph = (struct iphdr *)skb->data; | ||
568 | if (ip_fast_csum((u8 *)iph, iph->ihl) != 0) | 569 | if (ip_fast_csum((u8 *)iph, iph->ihl) != 0) |
569 | goto out; | 570 | goto out; |
570 | 571 | ||
@@ -579,6 +580,7 @@ int __netpoll_rx(struct sk_buff *skb) | |||
579 | if (pskb_trim_rcsum(skb, len)) | 580 | if (pskb_trim_rcsum(skb, len)) |
580 | goto out; | 581 | goto out; |
581 | 582 | ||
583 | iph = (struct iphdr *)skb->data; | ||
582 | if (iph->protocol != IPPROTO_UDP) | 584 | if (iph->protocol != IPPROTO_UDP) |
583 | goto out; | 585 | goto out; |
584 | 586 | ||