forked from luck/tmp_suning_uos_patched
xfrm6: fix a potential use after free in xfrm6_policy.c
pskb_may_pull() maybe change skb->data and make nh and exthdr pointer oboslete, so recompute the nd and exthdr Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
8751b12cd9
commit
789f202326
|
@ -170,8 +170,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
|
||||||
case IPPROTO_DCCP:
|
case IPPROTO_DCCP:
|
||||||
if (!onlyproto && (nh + offset + 4 < skb->data ||
|
if (!onlyproto && (nh + offset + 4 < skb->data ||
|
||||||
pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
|
pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
|
||||||
__be16 *ports = (__be16 *)exthdr;
|
__be16 *ports;
|
||||||
|
|
||||||
|
nh = skb_network_header(skb);
|
||||||
|
ports = (__be16 *)(nh + offset);
|
||||||
fl6->fl6_sport = ports[!!reverse];
|
fl6->fl6_sport = ports[!!reverse];
|
||||||
fl6->fl6_dport = ports[!reverse];
|
fl6->fl6_dport = ports[!reverse];
|
||||||
}
|
}
|
||||||
|
@ -180,8 +182,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
|
||||||
|
|
||||||
case IPPROTO_ICMPV6:
|
case IPPROTO_ICMPV6:
|
||||||
if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
|
if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
|
||||||
u8 *icmp = (u8 *)exthdr;
|
u8 *icmp;
|
||||||
|
|
||||||
|
nh = skb_network_header(skb);
|
||||||
|
icmp = (u8 *)(nh + offset);
|
||||||
fl6->fl6_icmp_type = icmp[0];
|
fl6->fl6_icmp_type = icmp[0];
|
||||||
fl6->fl6_icmp_code = icmp[1];
|
fl6->fl6_icmp_code = icmp[1];
|
||||||
}
|
}
|
||||||
|
@ -192,8 +196,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
|
||||||
case IPPROTO_MH:
|
case IPPROTO_MH:
|
||||||
if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
|
if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
|
||||||
struct ip6_mh *mh;
|
struct ip6_mh *mh;
|
||||||
mh = (struct ip6_mh *)exthdr;
|
|
||||||
|
|
||||||
|
nh = skb_network_header(skb);
|
||||||
|
mh = (struct ip6_mh *)(nh + offset);
|
||||||
fl6->fl6_mh_type = mh->ip6mh_type;
|
fl6->fl6_mh_type = mh->ip6mh_type;
|
||||||
}
|
}
|
||||||
fl6->flowi6_proto = nexthdr;
|
fl6->flowi6_proto = nexthdr;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user