From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
To: "'netdev@vger.kernel.org'" <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>, erdnetdev@gmail.com
Subject: [PATCH V2] ipv6 mcast: Fix incorrect use of pskb_may_pull().
Date: Wed, 26 Dec 2012 12:12:13 +0900 [thread overview]
Message-ID: <50DA6B0D.6010500@linux-ipv6.org> (raw)
pskb_may_pull(skb, len) ensures that len bytes from skb->data
are available in a linear array. When pskb_may_pull() is
being used multiple times for the same buffer without
skb_pull(), the length is not accumulated.
For example, assuming that we have done:
pskb_may_pull(skb, sizeof(struct icmp6hdr))
Here, we have to do:
pskb_may_pull(skb, sizeof(struct mld2_query))
instead of:
pskb_may_pull(skb, sizeof(struct mld2_query) -
sizeof(struct icmp6hdr))
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
---
net/ipv6/mcast.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 28dfa5f..5d91832 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1124,7 +1124,7 @@ int igmp6_event_query(struct sk_buff *skb)
int mark = 0;
int len;
- if (!pskb_may_pull(skb, sizeof(struct in6_addr)))
+ if (!pskb_may_pull(skb, sizeof(struct icmp6hdr) + sizeof(struct in6_addr)))
return -EINVAL;
/* compute payload length excluding extension headers */
@@ -1165,9 +1165,7 @@ int igmp6_event_query(struct sk_buff *skb)
/* clear deleted report items */
mld_clear_delrec(idev);
} else if (len >= 28) {
- int srcs_offset = sizeof(struct mld2_query) -
- sizeof(struct icmp6hdr);
- if (!pskb_may_pull(skb, srcs_offset))
+ if (!pskb_may_pull(skb, sizeof(struct mld2_query)))
return -EINVAL;
mlh2 = (struct mld2_query *)skb_transport_header(skb);
@@ -1186,8 +1184,9 @@ int igmp6_event_query(struct sk_buff *skb)
}
/* mark sources to include, if group & source-specific */
if (mlh2->mld2q_nsrcs != 0) {
- if (!pskb_may_pull(skb, srcs_offset +
- ntohs(mlh2->mld2q_nsrcs) * sizeof(struct in6_addr)))
+ if (!pskb_may_pull(skb,
+ sizeof(struct mld2_query) +
+ ntohs(mlh2->mld2q_nsrcs) * sizeof(struct in6_addr)))
return -EINVAL;
mlh2 = (struct mld2_query *)skb_transport_header(skb);
@@ -1248,7 +1247,7 @@ int igmp6_event_report(struct sk_buff *skb)
skb->pkt_type != PACKET_BROADCAST)
return 0;
- if (!pskb_may_pull(skb, sizeof(*mld) - sizeof(struct icmp6hdr)))
+ if (!pskb_may_pull(skb, sizeof(*mld)))
return -EINVAL;
mld = (struct mld_msg *)icmp6_hdr(skb);
--
1.7.9.5
next reply other threads:[~2012-12-26 3:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-26 3:12 YOSHIFUJI Hideaki [this message]
2012-12-26 16:03 ` [PATCH V2] ipv6 mcast: Fix incorrect use of pskb_may_pull() Eric Dumazet
2012-12-26 16:40 ` YOSHIFUJI Hideaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50DA6B0D.6010500@linux-ipv6.org \
--to=yoshfuji@linux-ipv6.org \
--cc=davem@davemloft.net \
--cc=erdnetdev@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.