This patch checks if sk buffer is available to dererence ife header. If not then NULL will returned to signal an malformed ife packet. This avoids to crashing the kernel from outside.
Signed-off-by: Alexander Aring <[email protected]> Reviewed-by: Yotam Gigi <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> --- net/ife/ife.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ife/ife.c b/net/ife/ife.c index 7fbe70a0af4b..570a18d4ca32 100644 --- a/net/ife/ife.c +++ b/net/ife/ife.c @@ -70,6 +70,9 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) u16 ifehdrln; ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len); + if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN)) + return NULL; + ifehdrln = ntohs(ifehdr->metalen); total_pull = skb->dev->hard_header_len + ifehdrln; -- 2.11.0
