diff options
author | Stephen Hemminger <shemminger@osdl.org> | 2006-08-08 19:48:51 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-08-08 19:48:51 -0400 |
commit | 7b1ba8de569460894efa892457af7a37c0d574f9 (patch) | |
tree | 8739f17110b12aedf5f3067c3dba1f3350727f7a /net/ipx | |
parent | 70f8e78e150425b01c1099087ad3decacf7e4ccf (diff) |
[IPX]: Another nonlinear receive fix
Need to check some more cases in IPX receive. If the skb is purely
fragments, the IPX header needs to be extracted. The function
pskb_may_pull() may in theory invalidate all the pointers in the skb,
so references to ipx header must be refreshed.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipx')
-rw-r--r-- | net/ipx/af_ipx.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c index c13e86b14f69..401964204866 100644 --- a/net/ipx/af_ipx.c +++ b/net/ipx/af_ipx.c | |||
@@ -1642,14 +1642,17 @@ static int ipx_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty | |||
1642 | if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) | 1642 | if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) |
1643 | goto out; | 1643 | goto out; |
1644 | 1644 | ||
1645 | ipx = ipx_hdr(skb); | 1645 | if (!pskb_may_pull(skb, sizeof(struct ipxhdr))) |
1646 | ipx_pktsize = ntohs(ipx->ipx_pktsize); | 1646 | goto drop; |
1647 | |||
1648 | ipx_pktsize = ntohs(ipxhdr(skb)->ipx_pktsize); | ||
1647 | 1649 | ||
1648 | /* Too small or invalid header? */ | 1650 | /* Too small or invalid header? */ |
1649 | if (ipx_pktsize < sizeof(struct ipxhdr) || | 1651 | if (ipx_pktsize < sizeof(struct ipxhdr) || |
1650 | !pskb_may_pull(skb, ipx_pktsize)) | 1652 | !pskb_may_pull(skb, ipx_pktsize)) |
1651 | goto drop; | 1653 | goto drop; |
1652 | 1654 | ||
1655 | ipx = ipx_hdr(skb); | ||
1653 | if (ipx->ipx_checksum != IPX_NO_CHECKSUM && | 1656 | if (ipx->ipx_checksum != IPX_NO_CHECKSUM && |
1654 | ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize)) | 1657 | ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize)) |
1655 | goto drop; | 1658 | goto drop; |