[PATCH] SNAP: Fix SNAP protocol header accesses.

The snap_rcv code reads 5 bytes so we should make sure that we have 5 bytes in the head before proceeding. Based on diagnosis and fix by Evgeniy Polyakov, reported by Alan J. Wylie. Patch also kills the skb->sk assignment before kfree_skb since it's redundant. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Herbert Xu <herbert@gondor.apana.org.au> 2007-08-21 21:07:30 -0700
committer: Willy Tarreau <w@1wt.eu> 2007-10-17 21:30:24 +0200
commit: 28c191e3e4ba5bbd5f163e43ccd0d94ac2dcf6c7 (patch)
tree: ce4e5e9b5ab1666b1845c7581f8bed868a1b9c37 /net/802
parent: 28d0ce2de6c377dd891cd5bb385da777478e0d33 (diff)
1 files changed, 12 insertions, 5 deletions
diff --git a/net/802/psnap.c b/net/802/psnap.c
index 270b9d2cae65..44dc3f9b6d27 100644
--- a/net/802/psnap.c
+++ b/net/802/psnap.c
@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
 		.type = __constant_htons(ETH_P_SNAP),
 	};
 
+	if (unlikely(!pskb_may_pull(skb, 5)))
+		goto drop;
+
 	rcu_read_lock();
 	proto = find_snap_client(skb->h.raw);
 	if (proto) {
@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
 		skb->h.raw  += 5;
 		skb_pull_rcsum(skb, 5);
 		rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
-	} else {
-		skb->sk = NULL;
-		kfree_skb(skb);
-		rc = 1;
 	}
-
 	rcu_read_unlock();
+
+	if (unlikely(!proto))
+		goto drop;
+
+out:
 	return rc;
+
+drop:
+	kfree_skb(skb);
+	goto out;
 }
 
 /*
author	Herbert Xu <herbert@gondor.apana.org.au>	2007-08-21 21:07:30 -0700
committer	Willy Tarreau <w@1wt.eu>	2007-10-17 21:30:24 +0200
commit	28c191e3e4ba5bbd5f163e43ccd0d94ac2dcf6c7 (patch)
tree	ce4e5e9b5ab1666b1845c7581f8bed868a1b9c37 /net/802
parent	28d0ce2de6c377dd891cd5bb385da777478e0d33 (diff)