openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

ip_gre: fix a possible crash in parse_gre_header() 

pskb_may_pull() can change skb->head, so we must init iph/greh after
calling it.

Bug added in commit c544193214 (GRE: Refactor GRE tunneling code.)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2013-04-04 15:41:27 +00:00 committed by David S. Miller
parent f8075a8c94
commit 22251c73ca
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
net/ipv4/ip_gre.c
View File

@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags)
static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
bool *csum_err, int *hdr_len) bool *csum_err, int *hdr_len)
{ {
struct iphdr *iph = ip_hdr(skb); unsigned int ip_hlen = ip_hdrlen(skb);
struct gre_base_hdr *greh; const struct gre_base_hdr *greh;
__be32 *options; __be32 *options;
if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr)))) if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr))))
return -EINVAL; return -EINVAL;
greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2)); greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING))) if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING)))
return -EINVAL; return -EINVAL;
@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
if (!pskb_may_pull(skb, *hdr_len)) if (!pskb_may_pull(skb, *hdr_len))
return -EINVAL; return -EINVAL;
greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
tpi->proto = greh->protocol; tpi->proto = greh->protocol;
options = (__be32 *)(greh + 1); options = (__be32 *)(greh + 1);