diff options
author | David S. Miller <davem@davemloft.net> | 2011-04-11 21:59:05 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-04-11 21:59:05 -0400 |
commit | aa8673599f1d269b4e4d9b0c0f61fca57bc02699 (patch) | |
tree | 7733bac39d382cfcda0459e8973decb300a0c52a /net | |
parent | 4a9f65f6304a00f6473e83b19c1e83caa1e42530 (diff) |
llc: Fix length check in llc_fixup_skb().
Fixes bugzilla #32872
The LLC stack pretends to support non-linear skbs but there is a
direct use of skb_tail_pointer() in llc_fixup_skb().
Use pskb_may_pull() to see if data_size bytes remain and can be
accessed linearly in the packet, instead of direct pointer checks.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/llc/llc_input.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c index 058f1e9a9128..903242111317 100644 --- a/net/llc/llc_input.c +++ b/net/llc/llc_input.c | |||
@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb) | |||
121 | s32 data_size = ntohs(pdulen) - llc_len; | 121 | s32 data_size = ntohs(pdulen) - llc_len; |
122 | 122 | ||
123 | if (data_size < 0 || | 123 | if (data_size < 0 || |
124 | ((skb_tail_pointer(skb) - | 124 | !pskb_may_pull(skb, data_size)) |
125 | (u8 *)pdu) - llc_len) < data_size) | ||
126 | return 0; | 125 | return 0; |
127 | if (unlikely(pskb_trim_rcsum(skb, data_size))) | 126 | if (unlikely(pskb_trim_rcsum(skb, data_size))) |
128 | return 0; | 127 | return 0; |