diff options
author | Li RongQing <roy.qing.li@gmail.com> | 2014-10-16 03:17:18 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-10-16 05:33:23 +0200 |
commit | 91269e390d062b526432f2ef1352b8df82e0e0bc (patch) | |
tree | 3928c4ef40d25a2f6e5987cb67b2578844fc6588 /drivers/net | |
parent | vxlan: fix a use after free in vxlan_encap_bypass (diff) | |
download | linux-91269e390d062b526432f2ef1352b8df82e0e0bc.tar.xz linux-91269e390d062b526432f2ef1352b8df82e0e0bc.zip |
vxlan: using pskb_may_pull as early as possible
pskb_may_pull should be used to check if skb->data has enough space,
skb->len can not ensure that.
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
-rw-r--r-- | drivers/net/vxlan.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index faf1bd1f1ecf..77ab844cd8ae 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1437,9 +1437,6 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb) if (!in6_dev) goto out; - if (!pskb_may_pull(skb, skb->len)) - goto out; - iphdr = ipv6_hdr(skb); saddr = &iphdr->saddr; daddr = &iphdr->daddr; @@ -1880,7 +1877,8 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) return arp_reduce(dev, skb); #if IS_ENABLED(CONFIG_IPV6) else if (ntohs(eth->h_proto) == ETH_P_IPV6 && - skb->len >= sizeof(struct ipv6hdr) + sizeof(struct nd_msg) && + pskb_may_pull(skb, sizeof(struct ipv6hdr) + + sizeof(struct nd_msg)) && ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) { struct nd_msg *msg; |