From patchwork Fri Jul 3 02:59:49 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Yongjun X-Patchwork-Id: 29443 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 976F7B7063 for ; Fri, 3 Jul 2009 13:00:52 +1000 (EST) Received: by ozlabs.org (Postfix) id 8BE93DDD1B; Fri, 3 Jul 2009 13:00:52 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 15606DDD0B for ; Fri, 3 Jul 2009 13:00:51 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755892AbZGCDAm (ORCPT ); Thu, 2 Jul 2009 23:00:42 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753926AbZGCDAm (ORCPT ); Thu, 2 Jul 2009 23:00:42 -0400 Received: from cn.fujitsu.com ([222.73.24.84]:51590 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1754248AbZGCDAl (ORCPT ); Thu, 2 Jul 2009 23:00:41 -0400 Received: from tang.cn.fujitsu.com (tang.cn.fujitsu.com [10.167.250.3]) by song.cn.fujitsu.com (Postfix) with ESMTP id 3AAC7170153; Fri, 3 Jul 2009 11:08:15 +0800 (CST) Received: from fnst.cn.fujitsu.com (localhost.localdomain [127.0.0.1]) by tang.cn.fujitsu.com (8.13.1/8.13.1) with ESMTP id n633R0Cv005579; Fri, 3 Jul 2009 11:27:01 +0800 Received: from [127.0.0.1] (unknown [10.167.141.76]) by fnst.cn.fujitsu.com (Postfix) with ESMTP id B0C8ED4016; Fri, 3 Jul 2009 10:59:42 +0800 (CST) Message-ID: <4A4D7425.7080005@cn.fujitsu.com> Date: Fri, 03 Jul 2009 10:59:49 +0800 From: Wei Yongjun User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Herbert Xu , David Miller CC: Netdev Subject: [PATCH 2/2] xfrm6: fix the proto and ports decode of sctp protocol References: <4A4D7393.1060303@cn.fujitsu.com> In-Reply-To: <4A4D7393.1060303@cn.fujitsu.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The SCTP pushed the skb above the sctp chunk header, so the check of pskb_may_pull(skb, nh + offset + 1 - skb->data) in _decode_session6() will never return 0 and the ports decode of sctp will always fail. (nh + offset + 1 - skb->data < 0) Signed-off-by: Wei Yongjun Acked-by: Herbert Xu --- net/ipv6/xfrm6_policy.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index b4b16a4..3a3c677 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -157,7 +157,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); - while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { + while (nh + offset + 1 < skb->data || + pskb_may_pull(skb, nh + offset + 1 - skb->data)) { nh = skb_network_header(skb); exthdr = (struct ipv6_opt_hdr *)(nh + offset); @@ -177,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_TCP: case IPPROTO_SCTP: case IPPROTO_DCCP: - if (!onlyproto && pskb_may_pull(skb, nh + offset + 4 - skb->data)) { + if (!onlyproto && (nh + offset + 4 < skb->data || + pskb_may_pull(skb, nh + offset + 4 - skb->data))) { __be16 *ports = (__be16 *)exthdr; fl->fl_ip_sport = ports[!!reverse];