summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2008-01-16 01:21:00 +0200
committerAdrian Bunk <bunk@kernel.org>2008-01-16 01:21:00 +0200
commitd97b07efe475fc99271820c8c45db3092c99774d (patch)
tree05852ebf3e079ee0f07dfb6ef9fa87e68c00141b
parentf9fdf12742cdc18ca30ff6c3bec3bf1748deffa7 (diff)
downloadlwn-d97b07efe475fc99271820c8c45db3092c99774d.tar.gz
lwn-d97b07efe475fc99271820c8c45db3092c99774d.zip
[IPV4] raw: Strengthen check on validity of iph->ihl
[ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@kernel.org>
Diffstat
-rw-r--r--net/ipv4/raw.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index f29a12da5109..0802f56fd9ea 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -271,6 +271,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
int hh_len;
struct iphdr *iph;
struct sk_buff *skb;
+ unsigned int iphlen;
int err;
if (length > rt->u.dst.dev->mtu) {
@@ -302,7 +303,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
goto error_fault;
/* We don't modify invalid header */
- if (length >= sizeof(*iph) && iph->ihl * 4U <= length) {
+ iphlen = iph->ihl * 4;
+ if (iphlen >= sizeof(*iph) && iphlen <= length) {
if (!iph->saddr)
iph->saddr = rt->rt_src;
iph->check = 0;