bridge: fix a possible use after free
br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb head can be reallocated. Cache icmp6_type field instead of dereferencing twice the struct icmp6hdr pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
4b275d7efa
commit
22df13319d
|
@ -1456,7 +1456,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
|
|||
{
|
||||
struct sk_buff *skb2;
|
||||
const struct ipv6hdr *ip6h;
|
||||
struct icmp6hdr *icmp6h;
|
||||
u8 icmp6_type;
|
||||
u8 nexthdr;
|
||||
unsigned len;
|
||||
int offset;
|
||||
|
@ -1502,9 +1502,9 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
|
|||
__skb_pull(skb2, offset);
|
||||
skb_reset_transport_header(skb2);
|
||||
|
||||
icmp6h = icmp6_hdr(skb2);
|
||||
icmp6_type = icmp6_hdr(skb2)->icmp6_type;
|
||||
|
||||
switch (icmp6h->icmp6_type) {
|
||||
switch (icmp6_type) {
|
||||
case ICMPV6_MGM_QUERY:
|
||||
case ICMPV6_MGM_REPORT:
|
||||
case ICMPV6_MGM_REDUCTION:
|
||||
|
@ -1544,7 +1544,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
|
|||
|
||||
BR_INPUT_SKB_CB(skb)->igmp = 1;
|
||||
|
||||
switch (icmp6h->icmp6_type) {
|
||||
switch (icmp6_type) {
|
||||
case ICMPV6_MGM_REPORT:
|
||||
{
|
||||
struct mld_msg *mld;
|
||||
|
|
Loading…
Reference in New Issue