Merge branch 'next' into for-linus

Prepare input updates for 4.14 merge window.
author: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2017-09-04 09:22:54 -0700
committer: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2017-09-04 09:22:54 -0700
commit: a6cbfa1e6d38c4b3ab0ce7e3aea4bb4e744f24b8 (patch)
tree: 8960e571a398b5d32e72bdb9c89ce965daa870ab /net/netfilter/nf_conntrack_proto_sctp.c
parent: f5308d1b83eba20e69df5e0926ba7257c8dd9074 (diff)
parent: 08d6ac9ee5fedd82040bc878705981b67a116a3f (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 13875d599a85..1c5b14a6cab3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -512,16 +512,19 @@ static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
 		      u8 pf, unsigned int hooknum)
 {
 	const struct sctphdr *sh;
-	struct sctphdr _sctph;
 	const char *logmsg;
 
-	sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
-	if (!sh) {
+	if (skb->len < dataoff + sizeof(struct sctphdr)) {
 		logmsg = "nf_ct_sctp: short packet ";
 		goto out_invalid;
 	}
 	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
 	    skb->ip_summed == CHECKSUM_NONE) {
+		if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
+			logmsg = "nf_ct_sctp: failed to read header ";
+			goto out_invalid;
+		}
+		sh = (const struct sctphdr *)(skb->data + dataoff);
 		if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
 			logmsg = "nf_ct_sctp: bad CRC ";
 			goto out_invalid;
author	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2017-09-04 09:22:54 -0700
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2017-09-04 09:22:54 -0700
commit	a6cbfa1e6d38c4b3ab0ce7e3aea4bb4e744f24b8 (patch)
tree	8960e571a398b5d32e72bdb9c89ce965daa870ab /net/netfilter/nf_conntrack_proto_sctp.c
parent	f5308d1b83eba20e69df5e0926ba7257c8dd9074 (diff)
parent	08d6ac9ee5fedd82040bc878705981b67a116a3f (diff)