aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2011-04-11 21:59:05 -0400
committerDavid S. Miller <davem@davemloft.net>2011-04-11 21:59:05 -0400
commitaa8673599f1d269b4e4d9b0c0f61fca57bc02699 (patch)
tree7733bac39d382cfcda0459e8973decb300a0c52a /net
parent4a9f65f6304a00f6473e83b19c1e83caa1e42530 (diff)
llc: Fix length check in llc_fixup_skb().
Fixes bugzilla #32872 The LLC stack pretends to support non-linear skbs but there is a direct use of skb_tail_pointer() in llc_fixup_skb(). Use pskb_may_pull() to see if data_size bytes remain and can be accessed linearly in the packet, instead of direct pointer checks. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/llc/llc_input.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index 058f1e9a9128..903242111317 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
121 s32 data_size = ntohs(pdulen) - llc_len; 121 s32 data_size = ntohs(pdulen) - llc_len;
122 122
123 if (data_size < 0 || 123 if (data_size < 0 ||
124 ((skb_tail_pointer(skb) - 124 !pskb_may_pull(skb, data_size))
125 (u8 *)pdu) - llc_len) < data_size)
126 return 0; 125 return 0;
127 if (unlikely(pskb_trim_rcsum(skb, data_size))) 126 if (unlikely(pskb_trim_rcsum(skb, data_size)))
128 return 0; 127 return 0;