diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2006-07-03 22:38:35 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-07-03 22:38:35 -0400 |
commit | bbcf467dab42ea3c85f368df346c82af2fbba665 (patch) | |
tree | e9fe30c1be9c6a3773454bad3eefaabf4f5bee48 /net/ipv4/af_inet.c | |
parent | 6ce1669fdb6b0a0faf9b2e2ba08048b520c57841 (diff) |
[NET]: Verify gso_type too in gso_segment
We don't want nasty Xen guests to pass a TCPv6 packet in with gso_type set
to TCPv4 or even UDP (or a packet that's both TCP and UDP).
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/af_inet.c')
-rw-r--r-- | net/ipv4/af_inet.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 8d157157bf8e..318d4674faa1 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c | |||
@@ -1106,7 +1106,15 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features) | |||
1106 | int ihl; | 1106 | int ihl; |
1107 | int id; | 1107 | int id; |
1108 | 1108 | ||
1109 | if (!pskb_may_pull(skb, sizeof(*iph))) | 1109 | if (unlikely(skb_shinfo(skb)->gso_type & |
1110 | ~(SKB_GSO_TCPV4 | | ||
1111 | SKB_GSO_UDP | | ||
1112 | SKB_GSO_DODGY | | ||
1113 | SKB_GSO_TCP_ECN | | ||
1114 | 0))) | ||
1115 | goto out; | ||
1116 | |||
1117 | if (unlikely(!pskb_may_pull(skb, sizeof(*iph)))) | ||
1110 | goto out; | 1118 | goto out; |
1111 | 1119 | ||
1112 | iph = skb->nh.iph; | 1120 | iph = skb->nh.iph; |
@@ -1114,7 +1122,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features) | |||
1114 | if (ihl < sizeof(*iph)) | 1122 | if (ihl < sizeof(*iph)) |
1115 | goto out; | 1123 | goto out; |
1116 | 1124 | ||
1117 | if (!pskb_may_pull(skb, ihl)) | 1125 | if (unlikely(!pskb_may_pull(skb, ihl))) |
1118 | goto out; | 1126 | goto out; |
1119 | 1127 | ||
1120 | skb->h.raw = __skb_pull(skb, ihl); | 1128 | skb->h.raw = __skb_pull(skb, ihl); |
@@ -1125,7 +1133,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features) | |||
1125 | 1133 | ||
1126 | rcu_read_lock(); | 1134 | rcu_read_lock(); |
1127 | ops = rcu_dereference(inet_protos[proto]); | 1135 | ops = rcu_dereference(inet_protos[proto]); |
1128 | if (ops && ops->gso_segment) | 1136 | if (likely(ops && ops->gso_segment)) |
1129 | segs = ops->gso_segment(skb, features); | 1137 | segs = ops->gso_segment(skb, features); |
1130 | rcu_read_unlock(); | 1138 | rcu_read_unlock(); |
1131 | 1139 | ||