From 1faa5862206a21c97fa1ece4fb3b180af29ebe30 Mon Sep 17 00:00:00 2001 From: YOSHIFUJI Hideaki Date: Tue, 18 Apr 2006 14:46:26 -0700 Subject: [PATCH] --- yaml --- r: 25915 b: refs/heads/master c: ec6700958a776a83681ecb11239c0525730c42ba h: refs/heads/master i: 25913: 404f7daaf898038a9bc9eec0a76640328c2b05c0 25911: 34a4bd3d4a31ffb330463264f58c0b7824db718b v: v3 --- [refs] | 2 +- trunk/net/ipv6/exthdrs.c | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/[refs] b/[refs] index 05754b39a98d..62e5e2c2a497 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: ef5cb9738b488140eb6c3f32fffab08f39a4905e +refs/heads/master: ec6700958a776a83681ecb11239c0525730c42ba diff --git a/trunk/net/ipv6/exthdrs.c b/trunk/net/ipv6/exthdrs.c index 2a1e7e45b890..d88cab7b973f 100644 --- a/trunk/net/ipv6/exthdrs.c +++ b/trunk/net/ipv6/exthdrs.c @@ -489,6 +489,18 @@ int ipv6_parse_hopopts(struct sk_buff *skb, int nhoff) { struct inet6_skb_parm *opt = IP6CB(skb); + /* + * skb->nh.raw is equal to skb->data, and + * skb->h.raw - skb->nh.raw is always equal to + * sizeof(struct ipv6hdr) by definition of + * hop-by-hop options. + */ + if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) || + !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) { + kfree_skb(skb); + return -1; + } + opt->hop = sizeof(struct ipv6hdr); if (ip6_parse_tlv(tlvprochopopt_lst, skb)) { skb->h.raw += (skb->h.raw[1]+1)<<3;