diff options
author | Eric Dumazet <edumazet@google.com> | 2013-04-04 15:41:27 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-04-08 12:00:17 -0400 |
commit | 22251c73ca63b5b1050724be9b54910c101a5f30 (patch) | |
tree | 0f3ae2864a661d0d3ad178421d897ded5f884ac4 /net/ipv4/ip_gre.c | |
parent | f8075a8c946d11e17bb5d837e2a032206f26ec70 (diff) | |
download | lwn-22251c73ca63b5b1050724be9b54910c101a5f30.tar.gz lwn-22251c73ca63b5b1050724be9b54910c101a5f30.zip |
ip_gre: fix a possible crash in parse_gre_header()
pskb_may_pull() can change skb->head, so we must init iph/greh after
calling it.
Bug added in commit c54419321455 (GRE: Refactor GRE tunneling code.)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ip_gre.c')
-rw-r--r-- | net/ipv4/ip_gre.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index e5dfd2843f28..987a4e5e07e2 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags) static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, bool *csum_err, int *hdr_len) { - struct iphdr *iph = ip_hdr(skb); - struct gre_base_hdr *greh; + unsigned int ip_hlen = ip_hdrlen(skb); + const struct gre_base_hdr *greh; __be32 *options; if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr)))) return -EINVAL; - greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2)); + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING))) return -EINVAL; @@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!pskb_may_pull(skb, *hdr_len)) return -EINVAL; + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); + tpi->proto = greh->protocol; options = (__be32 *)(greh + 1); |