udp: Fix potential wrong ip_hdr(skb) pointers
Like the UDP header fix, pskb_may_pull() can potentially alter the SKB buffer. Thus the saddr and daddr, pointers may point to the old skb->data buffer. I haven't seen corruptions, as its only seen if the old skb->data buffer were reallocated by another user and written into very quickly (or poison'd by SLAB debugging). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
efc683fc2a
commit
2783ef2312
|
@ -1234,8 +1234,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
|
|||
struct udphdr *uh;
|
||||
unsigned short ulen;
|
||||
struct rtable *rt = (struct rtable*)skb->dst;
|
||||
__be32 saddr = ip_hdr(skb)->saddr;
|
||||
__be32 daddr = ip_hdr(skb)->daddr;
|
||||
__be32 saddr, daddr;
|
||||
struct net *net = dev_net(skb->dev);
|
||||
|
||||
/*
|
||||
|
@ -1259,6 +1258,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
|
|||
if (udp4_csum_init(skb, uh, proto))
|
||||
goto csum_error;
|
||||
|
||||
saddr = ip_hdr(skb)->saddr;
|
||||
daddr = ip_hdr(skb)->daddr;
|
||||
|
||||
if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
|
||||
return __udp4_lib_mcast_deliver(net, skb, uh,
|
||||
saddr, daddr, udptable);
|
||||
|
|
Loading…
Reference in New Issue