summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorChangli Gao <xiaosuo@gmail.com>2010-08-04 06:55:40 +0200
committerDavid S. Miller <davem@davemloft.net>2010-08-05 06:53:15 +0200
commit12dc96d1673feabef98eed1b5ff37abaa67fbe64 (patch)
tree4f92d2b0eac8e5e2ceedfe42ae0182302d28de65 /net
parentcls_flow: add sanity check for the packet length (diff)
downloadlinux-12dc96d1673feabef98eed1b5ff37abaa67fbe64.tar.xz
linux-12dc96d1673feabef98eed1b5ff37abaa67fbe64.zip
cls_rsvp: add sanity check for the packet length
The packet length should be checked before the packet data is dereferenced. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/sched/cls_rsvp.h12
1 files changed, 10 insertions, 2 deletions
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index dd9414e44200..425a1790b048 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
u8 tunnelid = 0;
u8 *xprt;
#if RSVP_DST_LEN == 4
- struct ipv6hdr *nhptr = ipv6_hdr(skb);
+ struct ipv6hdr *nhptr;
+
+ if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+ return -1;
+ nhptr = ipv6_hdr(skb);
#else
- struct iphdr *nhptr = ip_hdr(skb);
+ struct iphdr *nhptr;
+
+ if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+ return -1;
+ nhptr = ip_hdr(skb);
#endif
restart: