Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d92a7db7 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

[SNAP]: Check packet length before reading 



The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 39dad26c

net/802/psnap.c

+12 −5
Original line number Diff line number Diff line
@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, 
		.type = __constant_htons(ETH_P_SNAP),

	};



	if (unlikely(!pskb_may_pull(skb, 5)))

		goto drop;



	rcu_read_lock();

	proto = find_snap_client(skb_transport_header(skb));

	if (proto) {
@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, 
		skb->transport_header += 5;

		skb_pull_rcsum(skb, 5);

		rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);

	} else {

		skb->sk = NULL;

		kfree_skb(skb);

		rc = 1;

	}



	rcu_read_unlock();



	if (unlikely(!proto))

		goto drop;



out:

	return rc;



drop:

	kfree_skb(skb);

	goto out;

}



/*