ipv4: fix a potential use after free in fou.c
authorLi RongQing <roy.qing.li@gmail.com>
Fri, 17 Oct 2014 08:53:47 +0000 (16:53 +0800)
committerDavid S. Miller <davem@davemloft.net>
Sat, 18 Oct 2014 03:45:26 +0000 (23:45 -0400)
pskb_may_pull() maybe change skb->data and make uh pointer oboslete,
so reload uh and guehdr

Fixes: 37dd0247 ("gue: Receive side for Generic UDP Encapsulation")
Cc: Tom Herbert <therbert@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/fou.c

index efa70ad44906aac3204cd90e76b35c3159caa2ac..32e78924e246bb7f89ad8a7b7a722e04fd879d0e 100644 (file)
@@ -87,6 +87,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
        if (!pskb_may_pull(skb, len))
                goto drop;
 
+       uh = udp_hdr(skb);
+       guehdr = (struct guehdr *)&uh[1];
+
        if (guehdr->version != 0)
                goto drop;