summaryrefslogtreecommitdiffstats
path: root/net/ipv4/raw.c
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2009-11-23 12:34:58 -0500
committerJ. Bruce Fields <bfields@citi.umich.edu>2009-11-23 12:34:58 -0500
commit9b8b317d58084b9a44f6f33b355c4278d9f841fb (patch)
treee0df89800bf4301c4017db3cdf04a2056ec1a852 /net/ipv4/raw.c
parent78c210efdefe07131f91ed512a3308b15bb14e2f (diff)
parent648f4e3e50c4793d9dbf9a09afa193631f76fa26 (diff)
downloadlinux-9b8b317d58084b9a44f6f33b355c4278d9f841fb.tar.gz
linux-9b8b317d58084b9a44f6f33b355c4278d9f841fb.tar.bz2
linux-9b8b317d58084b9a44f6f33b355c4278d9f841fb.zip
Merge commit 'v2.6.32-rc8' into HEAD
Diffstat (limited to 'net/ipv4/raw.c')
-rw-r--r--net/ipv4/raw.c24
1 files changed, 17 insertions, 7 deletions
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 757c9171e7c2..ab996f9c0fe0 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -352,13 +352,24 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
skb->ip_summed = CHECKSUM_NONE;
skb->transport_header = skb->network_header;
- err = memcpy_fromiovecend((void *)iph, from, 0, length);
- if (err)
- goto error_fault;
+ err = -EFAULT;
+ if (memcpy_fromiovecend((void *)iph, from, 0, length))
+ goto error_free;
- /* We don't modify invalid header */
iphlen = iph->ihl * 4;
- if (iphlen >= sizeof(*iph) && iphlen <= length) {
+
+ /*
+ * We don't want to modify the ip header, but we do need to
+ * be sure that it won't cause problems later along the network
+ * stack. Specifically we want to make sure that iph->ihl is a
+ * sane value. If ihl points beyond the length of the buffer passed
+ * in, reject the frame as invalid
+ */
+ err = -EINVAL;
+ if (iphlen > length)
+ goto error_free;
+
+ if (iphlen >= sizeof(*iph)) {
if (!iph->saddr)
iph->saddr = rt->rt_src;
iph->check = 0;
@@ -381,8 +392,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
out:
return 0;
-error_fault:
- err = -EFAULT;
+error_free:
kfree_skb(skb);
error:
IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);