Commit 4c94bf7f authored by Herbert Xu's avatar Herbert Xu Committed by Adrian Bunk

[SNAP]: Check packet length before reading

The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
parent 2ba6064c
...@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, ...@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
.type = __constant_htons(ETH_P_SNAP), .type = __constant_htons(ETH_P_SNAP),
}; };
if (unlikely(!pskb_may_pull(skb, 5)))
goto drop;
rcu_read_lock(); rcu_read_lock();
proto = find_snap_client(skb->h.raw); proto = find_snap_client(skb->h.raw);
if (proto) { if (proto) {
...@@ -64,14 +67,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, ...@@ -64,14 +67,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
skb_pull(skb, 5); skb_pull(skb, 5);
skb_postpull_rcsum(skb, hdr, 5); skb_postpull_rcsum(skb, hdr, 5);
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
} else {
skb->sk = NULL;
kfree_skb(skb);
rc = 1;
} }
rcu_read_unlock(); rcu_read_unlock();
if (unlikely(!proto))
goto drop;
out:
return rc; return rc;
drop:
kfree_skb(skb);
goto out;
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment