Need to check some more cases in IPX receive.
If the skb is purely fragments, the IPX header needs to
be extracted. The function pskb_may_pull() may in theory invalidate
all the pointers in the skb, so references to ipx header must be
refreshed.
Signed-off-by: Stephen Hemminger <[EMAIL PROTECTED]>
---
net/ipx/af_ipx.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
675a6798f7a587cae7acf1ad795366ee201e1a41
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index c13e86b..4019642 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1642,14 +1642,17 @@ static int ipx_rcv(struct sk_buff *skb,
if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
goto out;
- ipx = ipx_hdr(skb);
- ipx_pktsize = ntohs(ipx->ipx_pktsize);
+ if (!pskb_may_pull(skb, sizeof(struct ipxhdr)))
+ goto drop;
+
+ ipx_pktsize = ntohs(ipxhdr(skb)->ipx_pktsize);
/* Too small or invalid header? */
if (ipx_pktsize < sizeof(struct ipxhdr) ||
!pskb_may_pull(skb, ipx_pktsize))
goto drop;
+ ipx = ipx_hdr(skb);
if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&
ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize))
goto drop;
--
1.2.4
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
