diff options
author | Jesper Dangaard Brouer <hawk@comx.dk> | 2009-02-05 18:05:45 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-02-05 18:05:45 -0500 |
commit | 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 (patch) | |
tree | f0e3d35d01047375ea2eef5f8c99d9b96bc919ab /net | |
parent | b98ac702f49042ab0c382b839465b95a2bd0cd65 (diff) |
udp: Fix UDP short packet false positive
The UDP header pointer assignment must happen after calling
pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB
buffer.
This was exposted by running multicast traffic through the NIU driver,
as it won't prepull the protocol headers into the linear area on
receive.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/udp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 1ab180bad72a..cc3a0a06c004 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
@@ -1231,7 +1231,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, | |||
1231 | int proto) | 1231 | int proto) |
1232 | { | 1232 | { |
1233 | struct sock *sk; | 1233 | struct sock *sk; |
1234 | struct udphdr *uh = udp_hdr(skb); | 1234 | struct udphdr *uh; |
1235 | unsigned short ulen; | 1235 | unsigned short ulen; |
1236 | struct rtable *rt = (struct rtable*)skb->dst; | 1236 | struct rtable *rt = (struct rtable*)skb->dst; |
1237 | __be32 saddr = ip_hdr(skb)->saddr; | 1237 | __be32 saddr = ip_hdr(skb)->saddr; |
@@ -1244,6 +1244,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, | |||
1244 | if (!pskb_may_pull(skb, sizeof(struct udphdr))) | 1244 | if (!pskb_may_pull(skb, sizeof(struct udphdr))) |
1245 | goto drop; /* No space for header. */ | 1245 | goto drop; /* No space for header. */ |
1246 | 1246 | ||
1247 | uh = udp_hdr(skb); | ||
1247 | ulen = ntohs(uh->len); | 1248 | ulen = ntohs(uh->len); |
1248 | if (ulen > skb->len) | 1249 | if (ulen > skb->len) |
1249 | goto short_packet; | 1250 | goto short_packet; |