ipv6: avoid overflow of offset in ip6_find_1stfragopt
authorSabrina Dubroca <sd@queasysnail.net>
Wed, 19 Jul 2017 20:28:55 +0000 (22:28 +0200)
committerDavid S. Miller <davem@davemloft.net>
Thu, 20 Jul 2017 05:50:14 +0000 (22:50 -0700)
commit6399f1fae4ec29fab5ec76070435555e256ca3a6
tree3bf30f18bbd1c9eb4b37786cba7fe73e70ea014b
parent1e6c22aef28364dcc5f03c04a05ec463bc2b3431
ipv6: avoid overflow of offset in ip6_find_1stfragopt

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/output_core.c