summaryrefslogtreecommitdiff
path: root/net/atm
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2008-01-09 14:51:59 +0300
committerDavid S. Miller <davem@davemloft.net>2008-01-09 14:51:59 +0300
commit1c9b7aa1eb40ab708ef3242f74b9a61487623168 (patch)
treec0f3d53967a5e54a42413fe4cb6f1ee7a2c2b01e /net/atm
parent1ac4f008857487bf45b709248d71c5b3f4cae7b5 (diff)
downloadlinux-1c9b7aa1eb40ab708ef3242f74b9a61487623168.tar.xz
[ATM]: Check IP header validity in mpc_send_packet
Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/atm')
-rw-r--r--net/atm/mpc.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 2086396de177..9c7f712fc7e9 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -542,6 +542,13 @@ static int mpc_send_packet(struct sk_buff *skb, struct net_device *dev)
if (eth->h_proto != htons(ETH_P_IP))
goto non_ip; /* Multi-Protocol Over ATM :-) */
+ /* Weed out funny packets (e.g., AF_PACKET or raw). */
+ if (skb->len < ETH_HLEN + sizeof(struct iphdr))
+ goto non_ip;
+ skb_set_network_header(skb, ETH_HLEN);
+ if (skb->len < ETH_HLEN + ip_hdr(skb)->ihl * 4 || ip_hdr(skb)->ihl < 5)
+ goto non_ip;
+
while (i < mpc->number_of_mps_macs) {
if (!compare_ether_addr(eth->h_dest, (mpc->mps_macs + i*ETH_ALEN)))
if ( send_via_shortcut(skb, mpc) == 0 ) /* try shortcut */