]> pilppa.com Git - linux-2.6-omap-h63xx.git/commitdiff
[SNAP]: Check packet length before reading
authorHerbert Xu <herbert@gondor.apana.org.au>
Tue, 21 Aug 2007 07:06:37 +0000 (00:06 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Wed, 22 Aug 2007 03:58:13 +0000 (20:58 -0700)
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/802/psnap.c

index 04ee43e7538f63af49529b31299747e7dac63f47..31128cb92a23fc9b3eba377b52705671a3c984c7 100644 (file)
@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
                .type = __constant_htons(ETH_P_SNAP),
        };
 
+       if (unlikely(!pskb_may_pull(skb, 5)))
+               goto drop;
+
        rcu_read_lock();
        proto = find_snap_client(skb_transport_header(skb));
        if (proto) {
@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
                skb->transport_header += 5;
                skb_pull_rcsum(skb, 5);
                rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
-       } else {
-               skb->sk = NULL;
-               kfree_skb(skb);
-               rc = 1;
        }
-
        rcu_read_unlock();
+
+       if (unlikely(!proto))
+               goto drop;
+
+out:
        return rc;
+
+drop:
+       kfree_skb(skb);
+       goto out;
 }
 
 /*