From patchwork Fri Feb  6 09:55:58 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jesper Dangaard Brouer <jdb@comx.dk>
X-Patchwork-Id: 22325
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 1773DDDE41
	for <patchwork-incoming@ozlabs.org>;
	Fri,  6 Feb 2009 20:56:08 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752916AbZBFJ4B (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 6 Feb 2009 04:56:01 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752751AbZBFJ4B
	(ORCPT <rfc822;netdev-outgoing>); Fri, 6 Feb 2009 04:56:01 -0500
Received: from lanfw001a.cxnet.dk ([87.72.215.196]:52475 "EHLO
	lanfw001a.cxnet.dk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752104AbZBFJ4A (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 6 Feb 2009 04:56:00 -0500
Received: from comxexch02.comx.local (unknown [172.31.1.117])
	by lanfw001a.cxnet.dk (Postfix) with ESMTP id 09BD51638AE;
	Fri,  6 Feb 2009 10:55:59 +0100 (CET)
Received: from 172.31.4.93 ([172.31.4.93]) by comxexch02.comx.local
	([172.31.1.117]) with Microsoft Exchange Server HTTP-DAV ;
	Fri,  6 Feb 2009 09:55:58 +0000
Received: from hawk by comxexch02.comx.local; 06 Feb 2009 10:55:58 +0100
Subject: [PATCH] udp: Fix potential wrong ip_hdr(skb) pointers
From: Jesper Dangaard Brouer <jdb@comx.dk>
Reply-To: jdb@comx.dk
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
In-Reply-To: <20090206.010824.99072382.davem@davemloft.net>
References: <1233838027.20497.132.camel@localhost.localdomain>
	<20090205.150612.208352009.davem@davemloft.net>
	<1233910824.21135.6.camel@localhost.localdomain>
	<20090206.010824.99072382.davem@davemloft.net>
Organization: ComX Networks A/S
Date: Fri, 06 Feb 2009 10:55:58 +0100
Message-Id: <1233914158.21135.11.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.3 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Fri, 2009-02-06 at 01:08 -0800, David Miller wrote:
> Please respin this patch of your's with proper commit message
> and signoffs, thanks!

Like the UDP header fix, pskb_may_pull() can potentially
alter the SKB buffer.  Thus the saddr and daddr, pointers
may point to the old skb->data buffer.

I haven't seen corruptions, as its only seen if the old
skb->data buffer were reallocated by another user and
written into very quickly (or poison'd by SLAB debugging).

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
---

 net/ipv4/udp.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index cc3a0a0..c47c989 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1234,8 +1234,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
 	struct udphdr *uh;
 	unsigned short ulen;
 	struct rtable *rt = (struct rtable*)skb->dst;
-	__be32 saddr = ip_hdr(skb)->saddr;
-	__be32 daddr = ip_hdr(skb)->daddr;
+	__be32 saddr, daddr;
 	struct net *net = dev_net(skb->dev);
 
 	/*
@@ -1259,6 +1258,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
 	if (udp4_csum_init(skb, uh, proto))
 		goto csum_error;
 
+	saddr = ip_hdr(skb)->saddr;
+	daddr = ip_hdr(skb)->daddr;
+
 	if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
 		return __udp4_lib_mcast_deliver(net, skb, uh,
 				saddr, daddr, udptable);