From 3be550f34b03e5eb762f74d447ebbeba97efbd6d Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 10 Jul 2007 23:06:43 -0700 Subject: [PATCH] [UDP]: Fix length check. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Rémi Denis-Courmont wrote: > Right. By the way, shouldn't "len" rather be signed in there? > > unsigned int len; > > /* if we're overly short, let UDP handle it */ > len = skb->len - sizeof(struct udphdr); > if (len <= 0) > goto udp; It should, but the < 0 case can't happen since __udp4_lib_rcv already makes sure that we have at least a complete UDP header. Anyways, this patch fixes it. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/udp.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 4ec4a25..2835535 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -951,14 +951,10 @@ int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) * >0 if skb should be passed on to UDP. * <0 if skb should be resubmitted as proto -N */ - unsigned int len; /* if we're overly short, let UDP handle it */ - len = skb->len - sizeof(struct udphdr); - if (len <= 0) - goto udp; - - if (up->encap_rcv != NULL) { + if (skb->len > sizeof(struct udphdr) && + up->encap_rcv != NULL) { int ret; ret = (*up->encap_rcv)(sk, skb); @@ -971,7 +967,6 @@ int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) /* FALLTHROUGH -- it's a UDP Packet */ } -udp: /* * UDP-Lite specific tests, ignored on UDP sockets */ -- 2.7.4