ipv4: Put proper checks into icmp_socket_deliver().

All handler->err() routines expect that we've done a pskb_may_pull()
test to make sure that IP header length + 8 bytes can be safely
pulled.

Reported-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index d01aeb4d492e474528b3e2cd6cee60e19a2c7236..ea3a996de95bdb3cab88c96ecb1369a8dc43e355 100644 (file)
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -640,6 +640,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
        const struct net_protocol *ipprot;
        int protocol = iph->protocol;
 
+       /* Checkin full IP header plus 8 bytes of protocol to
+        * avoid additional coding at protocol handlers.
+        */
+       if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+               return;
+
        raw_icmp_error(skb, protocol, info);
 
        rcu_read_lock();
@@ -733,12 +739,6 @@ static void icmp_unreach(struct sk_buff *skb)
                goto out;
        }
 
-       /* Checkin full IP header plus 8 bytes of protocol to
-        * avoid additional coding at protocol handlers.
-        */
-       if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
-               goto out;
-
        icmp_socket_deliver(skb, info);
 
 out: