diff options
author | Li RongQing <roy.qing.li@gmail.com> | 2014-10-18 11:27:42 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-10-18 19:04:08 +0200 |
commit | fc6fb41cd64fd810bcc69fe9776d2f500778f38f (patch) | |
tree | 8814838d267283327e457d54ff7cfe99fee57f76 /net/ipv6/ip6_offload.c | |
parent | ipv4: fix a potential use after free in gre_offload.c (diff) | |
download | linux-fc6fb41cd64fd810bcc69fe9776d2f500778f38f.tar.xz linux-fc6fb41cd64fd810bcc69fe9776d2f500778f38f.zip |
ipv6: fix a potential use after free in ip6_offload.c
pskb_may_pull() maybe change skb->data and make opth pointer oboslete,
so set the opth again
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_offload.c')
-rw-r--r-- | net/ipv6/ip6_offload.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c index 9034f76ae013..91014d32488d 100644 --- a/net/ipv6/ip6_offload.c +++ b/net/ipv6/ip6_offload.c @@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto) if (unlikely(!pskb_may_pull(skb, len))) break; + opth = (void *)skb->data; proto = opth->nexthdr; __skb_pull(skb, len); } |