diff options
| author | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2019-02-18 10:12:12 -0500 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2019-02-18 10:12:12 -0500 |
| commit | 5f09bc8cc4010a3ea17c5881a62fc45192ebe7b0 (patch) | |
| tree | c8e30ba4eaf357699ef97a786bf56661f4591be8 /net/ipv6/fou6.c | |
| parent | 6fd369dd1cb65a032f1ab9227033ecb7b759656d (diff) | |
| parent | a3b22b9f11d9fbc48b0291ea92259a5a810e9438 (diff) | |
Merge tag 'v5.0-rc7' into patchwork
Linux 5.0-rc7
* tag 'v5.0-rc7': (1667 commits)
Linux 5.0-rc7
Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
Input: st-keyscan - fix potential zalloc NULL dereference
Input: apanel - switch to using brightness_set_blocking()
powerpc/64s: Fix possible corruption on big endian due to pgd/pud_present()
efi/arm: Revert "Defer persistent reservations until after paging_init()"
arm64, mm, efi: Account for GICv3 LPI tables in static memblock reserve table
sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
Compiler Attributes: add support for __copy (gcc >= 9)
lib/crc32.c: mark crc32_le_base/__crc32c_le_base aliases as __pure
auxdisplay: ht16k33: fix potential user-after-free on module unload
x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
i2c: bcm2835: Clear current buffer pointers and counts after a transfer
i2c: cadence: Fix the hold bit setting
drm: Use array_size() when creating lease
dm thin: fix bug where bio that overwrites thin block ignores FUA
Revert "exec: load_script: don't blindly truncate shebang string"
Revert "gfs2: read journal in large chunks to locate the head"
net: ethernet: freescale: set FEC ethtool regs version
...
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'net/ipv6/fou6.c')
| -rw-r--r-- | net/ipv6/fou6.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/net/ipv6/fou6.c b/net/ipv6/fou6.c index bd675c61deb1..b858bd5280bf 100644 --- a/net/ipv6/fou6.c +++ b/net/ipv6/fou6.c @@ -90,10 +90,11 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, { int transport_offset = skb_transport_offset(skb); struct guehdr *guehdr; - size_t optlen; + size_t len, optlen; int ret; - if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr)) + len = sizeof(struct udphdr) + sizeof(struct guehdr); + if (!pskb_may_pull(skb, len)) return -EINVAL; guehdr = (struct guehdr *)&udp_hdr(skb)[1]; @@ -128,9 +129,21 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, optlen = guehdr->hlen << 2; + if (!pskb_may_pull(skb, len + optlen)) + return -EINVAL; + + guehdr = (struct guehdr *)&udp_hdr(skb)[1]; if (validate_gue_flags(guehdr, optlen)) return -EINVAL; + /* Handling exceptions for direct UDP encapsulation in GUE would lead to + * recursion. Besides, this kind of encapsulation can't even be + * configured currently. Discard this. + */ + if (guehdr->proto_ctype == IPPROTO_UDP || + guehdr->proto_ctype == IPPROTO_UDPLITE) + return -EOPNOTSUPP; + skb_set_transport_header(skb, -(int)sizeof(struct icmp6hdr)); ret = gue6_err_proto_handler(guehdr->proto_ctype, skb, opt, type, code, offset, info); |