net/ipv6: Fix CALIPSO causing GPF with datagram support

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the
IP header may have moved.

Also update the payload length after adding the CALIPSO option.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Richard Haines and committed by

David S. Miller 8 years ago e3ebdb20 59423815

+5 -1

1 changed file

expand all

net

ipv6

calipso.c

+5 -1

net/ipv6/calipso.c

··· 1319 1319 struct ipv6hdr *ip6_hdr; 1320 1320 struct ipv6_opt_hdr *hop; 1321 1321 unsigned char buf[CALIPSO_MAX_BUFFER]; 1322 - int len_delta, new_end, pad; 1322 + int len_delta, new_end, pad, payload; 1323 1323 unsigned int start, end; 1324 1324 1325 1325 ip6_hdr = ipv6_hdr(skb); ··· 1346 1346 if (ret_val < 0) 1347 1347 return ret_val; 1348 1348 1349 + ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */ 1350 + 1349 1351 if (len_delta) { 1350 1352 if (len_delta > 0) 1351 1353 skb_push(skb, len_delta); ··· 1357 1355 sizeof(*ip6_hdr) + start); 1358 1356 skb_reset_network_header(skb); 1359 1357 ip6_hdr = ipv6_hdr(skb); 1358 + payload = ntohs(ip6_hdr->payload_len); 1359 + ip6_hdr->payload_len = htons(payload + len_delta); 1360 1360 } 1361 1361 1362 1362 hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);