aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv4/ip_input.c27
1 files changed, 13 insertions, 14 deletions
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 81e18023dc19..322b082ede1e 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -361,6 +361,7 @@ drop:
361int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) 361int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
362{ 362{
363 struct iphdr *iph; 363 struct iphdr *iph;
364 u32 len;
364 365
365 /* When the interface is in promisc. mode, drop all the crap 366 /* When the interface is in promisc. mode, drop all the crap
366 * that it receives, do not try to analyse it. 367 * that it receives, do not try to analyse it.
@@ -392,7 +393,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
392 */ 393 */
393 394
394 if (iph->ihl < 5 || iph->version != 4) 395 if (iph->ihl < 5 || iph->version != 4)
395 goto inhdr_error; 396 goto inhdr_error;
396 397
397 if (!pskb_may_pull(skb, iph->ihl*4)) 398 if (!pskb_may_pull(skb, iph->ihl*4))
398 goto inhdr_error; 399 goto inhdr_error;
@@ -400,21 +401,19 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
400 iph = skb->nh.iph; 401 iph = skb->nh.iph;
401 402
402 if (ip_fast_csum((u8 *)iph, iph->ihl) != 0) 403 if (ip_fast_csum((u8 *)iph, iph->ihl) != 0)
403 goto inhdr_error; 404 goto inhdr_error;
404 405
405 { 406 len = ntohs(iph->tot_len);
406 __u32 len = ntohs(iph->tot_len); 407 if (skb->len < len || len < (iph->ihl*4))
407 if (skb->len < len || len < (iph->ihl<<2)) 408 goto inhdr_error;
408 goto inhdr_error;
409 409
410 /* Our transport medium may have padded the buffer out. Now we know it 410 /* Our transport medium may have padded the buffer out. Now we know it
411 * is IP we can trim to the true length of the frame. 411 * is IP we can trim to the true length of the frame.
412 * Note this now means skb->len holds ntohs(iph->tot_len). 412 * Note this now means skb->len holds ntohs(iph->tot_len).
413 */ 413 */
414 if (pskb_trim_rcsum(skb, len)) { 414 if (pskb_trim_rcsum(skb, len)) {
415 IP_INC_STATS_BH(IPSTATS_MIB_INDISCARDS); 415 IP_INC_STATS_BH(IPSTATS_MIB_INDISCARDS);
416 goto drop; 416 goto drop;
417 }
418 } 417 }
419 418
420 return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, 419 return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,