android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipv4: Fix crashes in ip_options_compile().

Browse Source 
The spec_dst uses should be guarded by skb_rtable() being non-NULL
not just the SKB being non-null.

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2012-07-04 16:13:17 -07:00
parent e87183c2b5
commit 11604721a3
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
net/ipv4/ip_options.c
View File

@ -253,12 +253,15 @@ int ip_options_compile(struct net *net,
{ {
__be32 spec_dst = (__force __be32) 0; __be32 spec_dst = (__force __be32) 0;
unsigned char *pp_ptr = NULL; unsigned char *pp_ptr = NULL;
struct rtable *rt = NULL;
unsigned char *optptr; unsigned char *optptr;
unsigned char *iph; unsigned char *iph;
int optlen, l; int optlen, l;
if (skb != NULL) { if (skb != NULL) {
spec_dst = fib_compute_spec_dst(skb); rt = skb_rtable(skb);
if (rt)
spec_dst = fib_compute_spec_dst(skb);
optptr = (unsigned char *)&(ip_hdr(skb)[1]); optptr = (unsigned char *)&(ip_hdr(skb)[1]);
} else } else
optptr = opt->__data; optptr = opt->__data;
@ -330,7 +333,7 @@ int ip_options_compile(struct net *net,
pp_ptr = optptr + 2; pp_ptr = optptr + 2;
goto error; goto error;
} }
if (skb) { if (rt) {
memcpy(&optptr[optptr[2]-1], &spec_dst, 4); memcpy(&optptr[optptr[2]-1], &spec_dst, 4);
opt->is_changed = 1; opt->is_changed = 1;
} }
@ -372,7 +375,7 @@ int ip_options_compile(struct net *net,
goto error; goto error;
} }
opt->ts = optptr - iph; opt->ts = optptr - iph;
if (skb) { if (rt) {
memcpy(&optptr[optptr[2]-1], &spec_dst, 4); memcpy(&optptr[optptr[2]-1], &spec_dst, 4);
timeptr = &optptr[optptr[2]+3]; timeptr = &optptr[optptr[2]+3];
} }