diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-08-21 21:07:30 -0700 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2007-10-17 21:30:24 +0200 |
commit | 28c191e3e4ba5bbd5f163e43ccd0d94ac2dcf6c7 (patch) | |
tree | ce4e5e9b5ab1666b1845c7581f8bed868a1b9c37 /net/802 | |
parent | 28d0ce2de6c377dd891cd5bb385da777478e0d33 (diff) |
[PATCH] SNAP: Fix SNAP protocol header accesses.
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.
Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.
Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net/802')
-rw-r--r-- | net/802/psnap.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/net/802/psnap.c b/net/802/psnap.c index 270b9d2cae65..44dc3f9b6d27 100644 --- a/net/802/psnap.c +++ b/net/802/psnap.c @@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, .type = __constant_htons(ETH_P_SNAP), }; + if (unlikely(!pskb_may_pull(skb, 5))) + goto drop; + rcu_read_lock(); proto = find_snap_client(skb->h.raw); if (proto) { @@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, skb->h.raw += 5; skb_pull_rcsum(skb, 5); rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); - } else { - skb->sk = NULL; - kfree_skb(skb); - rc = 1; } - rcu_read_unlock(); + + if (unlikely(!proto)) + goto drop; + +out: return rc; + +drop: + kfree_skb(skb); + goto out; } /* |