adulau/aha
1
0
Fork 0
mirror of https://github.com/adulau/aha.git synced 2024-12-28 19:56:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

[SNAP]: Check packet length before reading

Browse source 
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Herbert Xu 2007-08-21 00:06:37 -07:00 committed by David S. Miller
parent 39dad26c37
commit d92a7db710
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
net/802/psnap.c
View file

@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
.type = __constant_htons(ETH_P_SNAP), .type = __constant_htons(ETH_P_SNAP),
}; };
if (unlikely(!pskb_may_pull(skb, 5)))
goto drop;
rcu_read_lock(); rcu_read_lock();
proto = find_snap_client(skb_transport_header(skb)); proto = find_snap_client(skb_transport_header(skb));
if (proto) { if (proto) {
@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
skb->transport_header += 5; skb->transport_header += 5;
skb_pull_rcsum(skb, 5); skb_pull_rcsum(skb, 5);
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
} else {
skb->sk = NULL;
kfree_skb(skb);
rc = 1;
} }
rcu_read_unlock(); rcu_read_unlock();
if (unlikely(!proto))
goto drop;
out:
return rc; return rc;
drop:
kfree_skb(skb);
goto out;
} }
/* /*