Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 96af69ea authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

ipv6: mip6: fix mip6_mh_filter() 



mip6_mh_filter() should not modify its input, or else its caller
would need to recompute ipv6_hdr() if skb->head is reallocated.

Use skb_header_pointer() instead of pskb_may_pull()

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 78cc88c4

net/ipv6/mip6.c

+11 −9
Original line number Original line Diff line number Diff line
@@ -86,28 +86,30 @@ static int mip6_mh_len(int type) 




static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb)

static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb)

{

{

	struct ip6_mh *mh;

	struct ip6_mh _hdr;

	const struct ip6_mh *mh;





	if (!pskb_may_pull(skb, (skb_transport_offset(skb)) + 8) ||

	mh = skb_header_pointer(skb, skb_transport_offset(skb),

	    !pskb_may_pull(skb, (skb_transport_offset(skb) +

				sizeof(_hdr), &_hdr);

				 ((skb_transport_header(skb)[1] + 1) << 3))))

	if (!mh)

		return -1;

		return -1;





	mh = (struct ip6_mh *)skb_transport_header(skb);

	if (((mh->ip6mh_hdrlen + 1) << 3) > skb->len)

		return -1;





	if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) {

	if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) {

		LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n",

		LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n",

			       mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type));

			       mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type));

		mip6_param_prob(skb, 0, ((&mh->ip6mh_hdrlen) -

		mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_hdrlen) +

					 skb_network_header(skb)));

				skb_network_header_len(skb));

		return -1;

		return -1;

	}

	}





	if (mh->ip6mh_proto != IPPROTO_NONE) {

	if (mh->ip6mh_proto != IPPROTO_NONE) {

		LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n",

		LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n",

			       mh->ip6mh_proto);

			       mh->ip6mh_proto);

		mip6_param_prob(skb, 0, ((&mh->ip6mh_proto) -

		mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_proto) +

					 skb_network_header(skb)));

				skb_network_header_len(skb));

		return -1;

		return -1;

	}

	}