From patchwork Fri Jul 3 02:57:23 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Yongjun X-Patchwork-Id: 29442 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 5B4C6B7043 for ; Fri, 3 Jul 2009 12:58:39 +1000 (EST) Received: by ozlabs.org (Postfix) id 4DE18DDD1B; Fri, 3 Jul 2009 12:58:39 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id DB7B0DDD0B for ; Fri, 3 Jul 2009 12:58:38 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756682AbZGCC6R (ORCPT ); Thu, 2 Jul 2009 22:58:17 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754248AbZGCC6R (ORCPT ); Thu, 2 Jul 2009 22:58:17 -0400 Received: from cn.fujitsu.com ([222.73.24.84]:54542 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1756638AbZGCC6Q (ORCPT ); Thu, 2 Jul 2009 22:58:16 -0400 Received: from tang.cn.fujitsu.com (tang.cn.fujitsu.com [10.167.250.3]) by song.cn.fujitsu.com (Postfix) with ESMTP id 92D1B17013D; Fri, 3 Jul 2009 11:05:49 +0800 (CST) Received: from fnst.cn.fujitsu.com (localhost.localdomain [127.0.0.1]) by tang.cn.fujitsu.com (8.13.1/8.13.1) with ESMTP id n633OZfe005484; Fri, 3 Jul 2009 11:24:35 +0800 Received: from [127.0.0.1] (unknown [10.167.141.76]) by fnst.cn.fujitsu.com (Postfix) with ESMTP id D6BC4D4038; Fri, 3 Jul 2009 10:57:16 +0800 (CST) Message-ID: <4A4D7393.1060303@cn.fujitsu.com> Date: Fri, 03 Jul 2009 10:57:23 +0800 From: Wei Yongjun User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Herbert Xu , David Miller CC: Netdev Subject: [PATCH 1/2] xfrm4: fix the ports decode of sctp protocol Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The SCTP pushed the skb data above the sctp chunk header, so the check of pskb_may_pull(skb, xprth + 4 - skb->data) in _decode_session4() will never return 0 because xprth + 4 - skb->data < 0, the ports decode of sctp will always fail. Signed-off-by: Wei Yongjun Acked-by: Herbert Xu --- net/ipv4/xfrm4_policy.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 60d918c..0071ee6 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -136,7 +136,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_TCP: case IPPROTO_SCTP: case IPPROTO_DCCP: - if (pskb_may_pull(skb, xprth + 4 - skb->data)) { + if (xprth + 4 < skb->data || + pskb_may_pull(skb, xprth + 4 - skb->data)) { __be16 *ports = (__be16 *)xprth; fl->fl_ip_sport = ports[!!reverse];