Commit c65353da authored Apr 14, 2011 by Eric Dumazet Committed by David S. Miller Apr 14, 2011

ip: ip_options_compile() resilient to NULL skb route



Scot Doyle demonstrated ip_options_compile() could be called with an skb
without an attached route, using a setup involving a bridge, netfilter,
and forged IP packets.

Let's make ip_options_compile() and ip_options_rcv_srr() a bit more
robust, instead of changing bridge/netfilter code.

With help from Hiroaki SHIMODA.

Reported-by: Scot Doyle <lkml@scotdoyle.com>
Tested-by: Scot Doyle <lkml@scotdoyle.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 49b4947a

net/ipv4/ip_options.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -329,7 +329,7 @@ int ip_options_compile(struct net *net,
		pp_ptr = optptr + 2;
		goto error;
		}
		if (skb) {
		if (rt) {
		memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
		opt->is_changed = 1;
		}
		@@ -371,7 +371,7 @@ int ip_options_compile(struct net *net,
		goto error;
		}
		opt->ts = optptr - iph;
		if (skb) {
		if (rt) {
		memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
		timeptr = (__be32*)&optptr[optptr[2]+3];
		}
		@@ -603,7 +603,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
		unsigned long orefdst;
		int err;

		if (!opt->srr)
		if (!opt->srr \|\| !rt)
		return 0;

		if (skb->pkt_type != PACKET_HOST)