ndisc: Check NS message length before access.
authorYOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Fri, 18 Jan 2013 02:05:03 +0000 (02:05 +0000)
committerDavid S. Miller <davem@davemloft.net>
Fri, 18 Jan 2013 19:41:13 +0000 (14:41 -0500)
Check message length before accessing "target" field,
as we do for other types.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ndisc.c

index 429622d747053346ea6b58878010ddd6576e135e..350f86005c1351c62ea1cf50067374371454c944 100644 (file)
@@ -671,6 +671,11 @@ static void ndisc_recv_ns(struct sk_buff *skb)
        bool inc;
        int is_router = -1;
 
+       if (skb->len < sizeof(struct nd_msg)) {
+               ND_PRINTK(2, warn, "NS: packet too short\n");
+               return;
+       }
+
        if (ipv6_addr_is_multicast(&msg->target)) {
                ND_PRINTK(2, warn, "NS: multicast target address\n");
                return;