diff options
| author | Jesse Gross <jesse@nicira.com> | 2012-04-02 17:26:27 -0400 |
|---|---|---|
| committer | Jesse Gross <jesse@nicira.com> | 2012-04-02 17:28:57 -0400 |
| commit | bf32fecdc1851ad9ca960f56771b798d17c26cf1 (patch) | |
| tree | 039b57775613b56c84d2651071cfb7cc8cd536cf /net/openvswitch | |
| parent | dd775ae2549217d3ae09363e3edb305d0fa19928 (diff) | |
openvswitch: Add length check when retrieving TCP flags.
When collecting TCP flags we check that the IP header indicates that
a TCP header is present but not that the packet is actually long
enough to contain the header. This adds a check to prevent reading
off the end of the packet.
In practice, this is only likely to result in reading of bad data and
not a crash due to the presence of struct skb_shared_info at the end
of the packet.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Diffstat (limited to 'net/openvswitch')
| -rw-r--r-- | net/openvswitch/flow.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c index 1252c3081ef1..2a11ec2383ee 100644 --- a/net/openvswitch/flow.c +++ b/net/openvswitch/flow.c | |||
| @@ -183,7 +183,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb) | |||
| 183 | u8 tcp_flags = 0; | 183 | u8 tcp_flags = 0; |
| 184 | 184 | ||
| 185 | if (flow->key.eth.type == htons(ETH_P_IP) && | 185 | if (flow->key.eth.type == htons(ETH_P_IP) && |
| 186 | flow->key.ip.proto == IPPROTO_TCP) { | 186 | flow->key.ip.proto == IPPROTO_TCP && |
| 187 | likely(skb->len >= skb_transport_offset(skb) + sizeof(struct tcphdr))) { | ||
| 187 | u8 *tcp = (u8 *)tcp_hdr(skb); | 188 | u8 *tcp = (u8 *)tcp_hdr(skb); |
| 188 | tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK; | 189 | tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK; |
| 189 | } | 190 | } |