ip_gre: fix a possible crash in parse_gre_header()
pskb_may_pull() can change skb->head, so we must init iph/greh after
calling it.
Bug added in commit c544193214
(GRE: Refactor GRE tunneling code.)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f8075a8c94
commit
22251c73ca
|
@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags)
|
|||
static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
|
||||
bool *csum_err, int *hdr_len)
|
||||
{
|
||||
struct iphdr *iph = ip_hdr(skb);
|
||||
struct gre_base_hdr *greh;
|
||||
unsigned int ip_hlen = ip_hdrlen(skb);
|
||||
const struct gre_base_hdr *greh;
|
||||
__be32 *options;
|
||||
|
||||
if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr))))
|
||||
return -EINVAL;
|
||||
|
||||
greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2));
|
||||
greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
|
||||
if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING)))
|
||||
return -EINVAL;
|
||||
|
||||
|
@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
|
|||
if (!pskb_may_pull(skb, *hdr_len))
|
||||
return -EINVAL;
|
||||
|
||||
greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen);
|
||||
|
||||
tpi->proto = greh->protocol;
|
||||
|
||||
options = (__be32 *)(greh + 1);
|
||||
|
|
Loading…
Reference in New Issue