diff options
author | Yan Zheng <yanzheng@21cn.com> | 2005-10-31 20:09:45 +0800 |
---|---|---|
committer | Arnaldo Carvalho de Melo <acme@mandriva.com> | 2005-10-31 22:52:03 -0200 |
commit | 97300b5fdfe28c6edae926926f9467a27cf5889c (patch) | |
tree | 5a28ee8ff8fbddb44ed3f8b5e3d37c0439af1608 | |
parent | edc9e81917157d1e73bf081d4fbcad7c34d32783 (diff) | |
download | linux-stable-97300b5fdfe28c6edae926926f9467a27cf5889c.tar.gz linux-stable-97300b5fdfe28c6edae926926f9467a27cf5889c.tar.bz2 linux-stable-97300b5fdfe28c6edae926926f9467a27cf5889c.zip |
[MCAST] IPv6: Check packet size when process Multicast
Signed-off-by: Yan Zheng <yanzheng@21cn.com
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-rw-r--r-- | net/ipv6/mcast.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index c4f2a0ef7489..966b2372aaab 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1087,7 +1087,7 @@ static void mld_marksources(struct ifmcaddr6 *pmc, int nsrcs, int igmp6_event_query(struct sk_buff *skb) { - struct mld2_query *mlh2 = (struct mld2_query *) skb->h.raw; + struct mld2_query *mlh2 = NULL; struct ifmcaddr6 *ma; struct in6_addr *group; unsigned long max_delay; @@ -1140,6 +1140,13 @@ int igmp6_event_query(struct sk_buff *skb) /* clear deleted report items */ mld_clear_delrec(idev); } else if (len >= 28) { + int srcs_offset = sizeof(struct mld2_query) - + sizeof(struct icmp6hdr); + if (!pskb_may_pull(skb, srcs_offset)) { + in6_dev_put(idev); + return -EINVAL; + } + mlh2 = (struct mld2_query *) skb->h.raw; max_delay = (MLDV2_MRC(ntohs(mlh2->mrc))*HZ)/1000; if (!max_delay) max_delay = 1; @@ -1156,7 +1163,15 @@ int igmp6_event_query(struct sk_buff *skb) return 0; } /* mark sources to include, if group & source-specific */ - mark = mlh2->nsrcs != 0; + if (mlh2->nsrcs != 0) { + if (!pskb_may_pull(skb, srcs_offset + + mlh2->nsrcs * sizeof(struct in6_addr))) { + in6_dev_put(idev); + return -EINVAL; + } + mlh2 = (struct mld2_query *) skb->h.raw; + mark = 1; + } } else { in6_dev_put(idev); return -EINVAL; |