Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b1ba8de authored by Stephen Hemminger's avatar Stephen Hemminger Committed by David S. Miller
Browse files

[IPX]: Another nonlinear receive fix 



Need to check some more cases in IPX receive.  If the skb is purely
fragments, the IPX header needs to be extracted. The function
pskb_may_pull() may in theory invalidate all the pointers in the skb,
so references to ipx header must be refreshed.

Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 70f8e78e

net/ipx/af_ipx.c

+5 −2
Original line number Diff line number Diff line
@@ -1642,14 +1642,17 @@ static int ipx_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty 
	if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)

		goto out;



	ipx		= ipx_hdr(skb);

	ipx_pktsize	= ntohs(ipx->ipx_pktsize);

	if (!pskb_may_pull(skb, sizeof(struct ipxhdr)))

		goto drop;



	ipx_pktsize = ntohs(ipxhdr(skb)->ipx_pktsize);

	

	/* Too small or invalid header? */

	if (ipx_pktsize < sizeof(struct ipxhdr) ||

	    !pskb_may_pull(skb, ipx_pktsize))

		goto drop;

                        

	ipx = ipx_hdr(skb);

	if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&

	   ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize))

		goto drop;