On Thu, 3 May 2018 13:37:54 -0700, Eric Dumazet wrote: > diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c > index > d7da99a0b0b852d7459eed9ac6d3cdf3d49a1a1c..9696ef96b719bf24625adea2a959deac1d2a975f > 100644 > --- a/net/nsh/nsh.c > +++ b/net/nsh/nsh.c > @@ -57,6 +57,8 @@ int nsh_pop(struct sk_buff *skb) > return -ENOMEM; > nh = (struct nshhdr *)(skb->data); > length = nsh_hdr_len(nh); > + if (length < NSH_BASE_HDR_LEN) > + return -EINVAL; > inner_proto = tun_p_to_eth_p(nh->np); > if (!pskb_may_pull(skb, length)) > return -ENOMEM; > @@ -90,6 +92,8 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, > if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) > goto out; > nsh_len = nsh_hdr_len(nsh_hdr(skb)); > + if (nsh_len < NSH_BASE_HDR_LEN) > + goto out; > if (unlikely(!pskb_may_pull(skb, nsh_len))) > goto out; >
Acked-by: Jiri Benc <jb...@redhat.com> Thanks, Eric, and shame on me! Jiri
