mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-11 15:40:50 +00:00
ip_gre: fix a possible crash in parse_gre_header()
pskb_may_pull() can change skb->head, so we must init iph/greh after calling it. Bug added in commit c54419321455 (GRE: Refactor GRE tunneling code.) Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f8075a8c94
commit
22251c73ca
@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags)
|
||||
static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
|
||||
bool *csum_err, int *hdr_len)
|
||||
{
|
||||
struct iphdr *iph = ip_hdr(skb);
|
||||
struct gre_base_hdr *greh;
|
||||
unsigned int ip_hlen = ip_hdrlen(skb);
|
||||
const struct gre_base_hdr *greh;
|
||||
__be32 *options;
|
||||
|
||||
if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr))))
|
||||
return -EINVAL;
|
||||
|
||||
greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2));
|
||||
greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
|
||||
if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING)))
|
||||
return -EINVAL;
|
||||
|
||||
@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
|
||||
if (!pskb_may_pull(skb, *hdr_len))
|
||||
return -EINVAL;
|
||||
|
||||
greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
|
||||
|
||||
tpi->proto = greh->protocol;
|
||||
|
||||
options = (__be32 *)(greh + 1);
|
||||
|
Loading…
x
Reference in New Issue
Block a user