[SNAP]: Check packet length before reading
The snap_rcv code reads 5 bytes so we should make sure that we have 5 bytes in the head before proceeding. Based on diagnosis and fix by Evgeniy Polyakov, reported by Alan J. Wylie. Patch also kills the skb->sk assignment before kfree_skb since it's redundant. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
39dad26c37
commit
d92a7db710
1 changed files with 12 additions and 5 deletions
|
@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||
.type = __constant_htons(ETH_P_SNAP),
|
||||
};
|
||||
|
||||
if (unlikely(!pskb_may_pull(skb, 5)))
|
||||
goto drop;
|
||||
|
||||
rcu_read_lock();
|
||||
proto = find_snap_client(skb_transport_header(skb));
|
||||
if (proto) {
|
||||
|
@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||
skb->transport_header += 5;
|
||||
skb_pull_rcsum(skb, 5);
|
||||
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
|
||||
} else {
|
||||
skb->sk = NULL;
|
||||
kfree_skb(skb);
|
||||
rc = 1;
|
||||
}
|
||||
|
||||
rcu_read_unlock();
|
||||
|
||||
if (unlikely(!proto))
|
||||
goto drop;
|
||||
|
||||
out:
|
||||
return rc;
|
||||
|
||||
drop:
|
||||
kfree_skb(skb);
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in a new issue