diff options
author | Li RongQing <roy.qing.li@gmail.com> | 2014-10-17 16:53:47 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-10-17 23:45:26 -0400 |
commit | d8f00d27105a1553a13d4a96c3eb4544f70ca908 (patch) | |
tree | 2233da4c4587011d7b10e5ce76e5b3be57ae3d62 /net/ipv4/fou.c | |
parent | 1245dfc8cadb258386fcd27df38215a0eccb1f17 (diff) |
ipv4: fix a potential use after free in fou.c
pskb_may_pull() maybe change skb->data and make uh pointer oboslete,
so reload uh and guehdr
Fixes: 37dd0247 ("gue: Receive side for Generic UDP Encapsulation")
Cc: Tom Herbert <therbert@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/fou.c')
-rw-r--r-- | net/ipv4/fou.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c index efa70ad44906..32e78924e246 100644 --- a/net/ipv4/fou.c +++ b/net/ipv4/fou.c @@ -87,6 +87,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) if (!pskb_may_pull(skb, len)) goto drop; + uh = udp_hdr(skb); + guehdr = (struct guehdr *)&uh[1]; + if (guehdr->version != 0) goto drop; |