diff options
author | Jesper Dangaard Brouer <hawk@comx.dk> | 2009-02-06 04:59:12 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-02-06 04:59:12 -0500 |
commit | 2783ef23128ad0a4b34e4121c1f7ff664785712f (patch) | |
tree | 1e0ada9b370ffc967b138dfb7d7c5464a0d4f438 /net/ipv4/udp.c | |
parent | efc683fc2a692735029067b4f939af2a3625e31d (diff) |
udp: Fix potential wrong ip_hdr(skb) pointers
Like the UDP header fix, pskb_may_pull() can potentially
alter the SKB buffer. Thus the saddr and daddr, pointers
may point to the old skb->data buffer.
I haven't seen corruptions, as its only seen if the old
skb->data buffer were reallocated by another user and
written into very quickly (or poison'd by SLAB debugging).
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/udp.c')
-rw-r--r-- | net/ipv4/udp.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index cc3a0a06c004..c47c989cb1fb 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
@@ -1234,8 +1234,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, | |||
1234 | struct udphdr *uh; | 1234 | struct udphdr *uh; |
1235 | unsigned short ulen; | 1235 | unsigned short ulen; |
1236 | struct rtable *rt = (struct rtable*)skb->dst; | 1236 | struct rtable *rt = (struct rtable*)skb->dst; |
1237 | __be32 saddr = ip_hdr(skb)->saddr; | 1237 | __be32 saddr, daddr; |
1238 | __be32 daddr = ip_hdr(skb)->daddr; | ||
1239 | struct net *net = dev_net(skb->dev); | 1238 | struct net *net = dev_net(skb->dev); |
1240 | 1239 | ||
1241 | /* | 1240 | /* |
@@ -1259,6 +1258,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, | |||
1259 | if (udp4_csum_init(skb, uh, proto)) | 1258 | if (udp4_csum_init(skb, uh, proto)) |
1260 | goto csum_error; | 1259 | goto csum_error; |
1261 | 1260 | ||
1261 | saddr = ip_hdr(skb)->saddr; | ||
1262 | daddr = ip_hdr(skb)->daddr; | ||
1263 | |||
1262 | if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST)) | 1264 | if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST)) |
1263 | return __udp4_lib_mcast_deliver(net, skb, uh, | 1265 | return __udp4_lib_mcast_deliver(net, skb, uh, |
1264 | saddr, daddr, udptable); | 1266 | saddr, daddr, udptable); |