summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorJesper Dangaard Brouer <hawk@comx.dk>2009-02-05 15:05:45 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2009-02-17 09:46:23 -0800
commit2c55d86dc58c8e530d8cdff30e8529373dfa4804 (patch)
treeb39803e303380b7fe61bf674368f6e2ce9937ffc /net
parent1ba7f7b70074e3989f2b6e24a3488d92dea25b97 (diff)
downloadlwn-2c55d86dc58c8e530d8cdff30e8529373dfa4804.tar.gz
lwn-2c55d86dc58c8e530d8cdff30e8529373dfa4804.zip
udp: Fix UDP short packet false positive
[ Upstream commit 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 ] The UDP header pointer assignment must happen after calling pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB buffer. This was exposted by running multicast traffic through the NIU driver, as it won't prepull the protocol headers into the linear area on receive. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/udp.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 915e6b7ad7fd..f4ccd672d11b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1172,7 +1172,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct hlist_head udptable[],
int proto)
{
struct sock *sk;
- struct udphdr *uh = udp_hdr(skb);
+ struct udphdr *uh;
unsigned short ulen;
struct rtable *rt = (struct rtable*)skb->dst;
__be32 saddr = ip_hdr(skb)->saddr;
@@ -1185,6 +1185,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct hlist_head udptable[],
if (!pskb_may_pull(skb, sizeof(struct udphdr)))
goto drop; /* No space for header. */
+ uh = udp_hdr(skb);
ulen = ntohs(uh->len);
if (ulen > skb->len)
goto short_packet;