diff options
author | Changli Gao <xiaosuo@gmail.com> | 2010-08-04 06:55:40 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-08-05 06:53:15 +0200 |
commit | 12dc96d1673feabef98eed1b5ff37abaa67fbe64 (patch) | |
tree | 4f92d2b0eac8e5e2ceedfe42ae0182302d28de65 /net | |
parent | cls_flow: add sanity check for the packet length (diff) | |
download | linux-12dc96d1673feabef98eed1b5ff37abaa67fbe64.tar.xz linux-12dc96d1673feabef98eed1b5ff37abaa67fbe64.zip |
cls_rsvp: add sanity check for the packet length
The packet length should be checked before the packet data is dereferenced.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/sched/cls_rsvp.h | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index dd9414e44200..425a1790b048 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, u8 tunnelid = 0; u8 *xprt; #if RSVP_DST_LEN == 4 - struct ipv6hdr *nhptr = ipv6_hdr(skb); + struct ipv6hdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ipv6_hdr(skb); #else - struct iphdr *nhptr = ip_hdr(skb); + struct iphdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ip_hdr(skb); #endif restart: |