diff options
| author | Mauro Carvalho Chehab <mchehab@redhat.com> | 2012-10-01 21:52:40 +0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2012-10-01 21:52:40 +0400 |
| commit | aaf675f53a7176475f69595827248c8b2556ea8c (patch) | |
| tree | 0cb744dec714328c9f89bf85553fb7195107e5d4 /net/ipv6/mip6.c | |
| parent | 347c4e95845fad1853c0e3da6603a44c5d6122b3 (diff) | |
| parent | a0d271cbfed1dd50278c6b06bead3d00ba0a88f9 (diff) | |
| download | linux-aaf675f53a7176475f69595827248c8b2556ea8c.tar.xz | |
Merge tag 'v3.6' into staging/for_v3.7
Linux 3.6
* tag 'v3.6': (562 commits)
Linux 3.6
vfs: dcache: fix deadlock in tree traversal
mtdchar: fix offset overflow detection
thp: avoid VM_BUG_ON page_count(page) false positives in __collapse_huge_page_copy
iommu/amd: Fix wrong assumption in iommu-group specific code
netdev: octeon: fix return value check in octeon_mgmt_init_phy()
ALSA: snd-usb: fix next_packet_size calls for pause case
inetpeer: fix token initialization
qlcnic: Fix scheduling while atomic bug
bnx2: Clean up remaining iounmap
trivial select_parent documentation fix
net: phy: smsc: Implement PHY config_init for LAN87xx
smsc75xx: fix resume after device reset
um: Preinclude include/linux/kern_levels.h
um: Fix IPC on um
netdev: pasemi: fix return value check in pasemi_mac_phy_init()
team: fix return value check
l2tp: fix return value check
USB: Fix race condition when removing host controllers
USB: ohci-at91: fix null pointer in ohci_hcd_at91_overcurrent_irq
...
Diffstat (limited to 'net/ipv6/mip6.c')
| -rw-r--r-- | net/ipv6/mip6.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index 5b087c31d87b..0f9bdc5ee9f3 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -86,28 +86,30 @@ static int mip6_mh_len(int type) static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) { - struct ip6_mh *mh; + struct ip6_mh _hdr; + const struct ip6_mh *mh; - if (!pskb_may_pull(skb, (skb_transport_offset(skb)) + 8) || - !pskb_may_pull(skb, (skb_transport_offset(skb) + - ((skb_transport_header(skb)[1] + 1) << 3)))) + mh = skb_header_pointer(skb, skb_transport_offset(skb), + sizeof(_hdr), &_hdr); + if (!mh) return -1; - mh = (struct ip6_mh *)skb_transport_header(skb); + if (((mh->ip6mh_hdrlen + 1) << 3) > skb->len) + return -1; if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n", mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type)); - mip6_param_prob(skb, 0, ((&mh->ip6mh_hdrlen) - - skb_network_header(skb))); + mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_hdrlen) + + skb_network_header_len(skb)); return -1; } if (mh->ip6mh_proto != IPPROTO_NONE) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", mh->ip6mh_proto); - mip6_param_prob(skb, 0, ((&mh->ip6mh_proto) - - skb_network_header(skb))); + mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_proto) + + skb_network_header_len(skb)); return -1; } |