[BRIDGE-NF]: Fix bridge-nf ipv6 length check
authorBart De Schuymer <bdschuym@pandora.be>
Mon, 19 Dec 2005 22:00:08 +0000 (14:00 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 19 Dec 2005 22:00:08 +0000 (14:00 -0800)
A typo caused some bridged IPv6 packets to get dropped randomly,
as reported by Sebastien Chaumontet. The patch below fixes this
(using skb->nh.raw instead of raw) and also makes the jumbo packet
length checking up-to-date with the code in
net/ipv6/exthdrs.c::ipv6_hop_jumbo.

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bridge/br_netfilter.c

index d8e36b7..43a0b35 100644 (file)
@@ -295,7 +295,7 @@ static int check_hbh_len(struct sk_buff *skb)
        len -= 2;
 
        while (len > 0) {
-               int optlen = raw[off+1]+2;
+               int optlen = skb->nh.raw[off+1]+2;
 
                switch (skb->nh.raw[off]) {
                case IPV6_TLV_PAD0:
@@ -308,18 +308,15 @@ static int check_hbh_len(struct sk_buff *skb)
                case IPV6_TLV_JUMBO:
                        if (skb->nh.raw[off+1] != 4 || (off&3) != 2)
                                goto bad;
-
                        pkt_len = ntohl(*(u32*)(skb->nh.raw+off+2));
-
+                       if (pkt_len <= IPV6_MAXPLEN ||
+                           skb->nh.ipv6h->payload_len)
+                               goto bad;
                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
                                goto bad;
-                       if (pkt_len + sizeof(struct ipv6hdr) < skb->len) {
-                               if (__pskb_trim(skb,
-                                   pkt_len + sizeof(struct ipv6hdr)))
-                                       goto bad;
-                               if (skb->ip_summed == CHECKSUM_HW)
-                                       skb->ip_summed = CHECKSUM_NONE;
-                       }
+                       if (pskb_trim_rcsum(skb,
+                           pkt_len+sizeof(struct ipv6hdr)))
+                               goto bad;
                        break;
                default:
                        if (optlen > len)