ipv4: ip_check_defrag should not assume that skb_network_offset is zero

ip_check_defrag() may be used by af_packet to defragment outgoing packets.
skb_network_offset() of af_packet's outgoing packets is not zero.

Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 4 deletions

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 2c8d98e728c0..145a50c4d566 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -659,27 +659,30 @@ EXPORT_SYMBOL(ip_defrag);
 struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
 {
         struct iphdr iph;
+        int netoff;
         u32 len;
 
         if (skb->protocol != htons(ETH_P_IP))
                 return skb;
 
-        if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
+        netoff = skb_network_offset(skb);
+
+        if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0)
                 return skb;
 
         if (iph.ihl < 5 || iph.version != 4)
                 return skb;
 
         len = ntohs(iph.tot_len);
-        if (skb->len < len || len < (iph.ihl * 4))
+        if (skb->len < netoff + len || len < (iph.ihl * 4))
                 return skb;
 
         if (ip_is_fragment(&iph)) {
                 skb = skb_share_check(skb, GFP_ATOMIC);
                 if (skb) {
-                        if (!pskb_may_pull(skb, iph.ihl*4))
+                        if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
                                 return skb;
-                        if (pskb_trim_rcsum(skb, len))
+                        if (pskb_trim_rcsum(skb, netoff + len))
                                 return skb;
                         memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
                         if (ip_defrag(skb, user))