Commit cbb1dbb6 authored by Mark H. Weaver's avatar Mark H. Weaver Committed by Chris Wright

netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack

[ Upstream commit 534f81a5 ]

This patch fixes an unaligned memory access in tcp_sack while reading
sequence numbers from TCP selective acknowledgement options.  Prior to
applying this patch, upstream linux-2.6.27.20 was occasionally
generating messages like this on my sparc64 system:

  [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00
Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
parent 8e0ee43b
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <net/ip6_checksum.h> #include <net/ip6_checksum.h>
#include <asm/unaligned.h>
#include <net/tcp.h> #include <net/tcp.h>
...@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, ...@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
for (i = 0; for (i = 0;
i < (opsize - TCPOLEN_SACK_BASE); i < (opsize - TCPOLEN_SACK_BASE);
i += TCPOLEN_SACK_PERBLOCK) { i += TCPOLEN_SACK_PERBLOCK) {
tmp = ntohl(*((__be32 *)(ptr+i)+1)); tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
if (after(tmp, *sack)) if (after(tmp, *sack))
*sack = tmp; *sack = tmp;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment