cls_rsvp: add sanity check for the packet length
Changli Gao [Wed, 4 Aug 2010 04:55:40 +0000 (04:55 +0000)]
The packet length should be checked before the packet data is dereferenced.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/sched/cls_rsvp.h

index dd9414e..425a179 100644 (file)
@@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
        u8 tunnelid = 0;
        u8 *xprt;
 #if RSVP_DST_LEN == 4
-       struct ipv6hdr *nhptr = ipv6_hdr(skb);
+       struct ipv6hdr *nhptr;
+
+       if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+               return -1;
+       nhptr = ipv6_hdr(skb);
 #else
-       struct iphdr *nhptr = ip_hdr(skb);
+       struct iphdr *nhptr;
+
+       if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+               return -1;
+       nhptr = ip_hdr(skb);
 #endif
 
 restart: