Skip to content

Commit

Permalink
[SNAP]: Check packet length before reading
Browse files Browse the repository at this point in the history
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
herbertx authored and David S. Miller committed Aug 22, 2007
1 parent 39dad26 commit d92a7db
Showing 1 changed file with 12 additions and 5 deletions.
17 changes: 12 additions & 5 deletions net/802/psnap.c
Original file line number Diff line number Diff line change
Expand Up @@ -55,21 +55,28 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
.type = __constant_htons(ETH_P_SNAP),
};

if (unlikely(!pskb_may_pull(skb, 5)))
goto drop;

rcu_read_lock();
proto = find_snap_client(skb_transport_header(skb));
if (proto) {
/* Pass the frame on. */
skb->transport_header += 5;
skb_pull_rcsum(skb, 5);
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
} else {
skb->sk = NULL;
kfree_skb(skb);
rc = 1;
}

rcu_read_unlock();

if (unlikely(!proto))
goto drop;

out:
return rc;

drop:
kfree_skb(skb);
goto out;
}

/*
Expand Down

0 comments on commit d92a7db

Please sign in to comment.