Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f0a70e90 authored by David S. Miller's avatar David S. Miller
Browse files

ipv4: Put proper checks into icmp_socket_deliver(). 



All handler->err() routines expect that we've done a pskb_may_pull()
test to make sure that IP header length + 8 bytes can be safely
pulled.

Reported-by: default avatarHiroaki SHIMODA <shimoda.hiroaki@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 065f5f97

net/ipv4/icmp.c

+6 −6
Original line number Diff line number Diff line
@@ -640,6 +640,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) 
	const struct net_protocol *ipprot;

	int protocol = iph->protocol;



	/* Checkin full IP header plus 8 bytes of protocol to

	 * avoid additional coding at protocol handlers.

	 */

	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))

		return;



	raw_icmp_error(skb, protocol, info);



	rcu_read_lock();
@@ -733,12 +739,6 @@ static void icmp_unreach(struct sk_buff *skb) 
		goto out;

	}



	/* Checkin full IP header plus 8 bytes of protocol to

	 * avoid additional coding at protocol handlers.

	 */

	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))

		goto out;



	icmp_socket_deliver(skb, info);



out: