ipv6: fix a potential use after free in ip6_offload.c
authorLi RongQing <roy.qing.li@gmail.com>
Sat, 18 Oct 2014 09:27:42 +0000 (17:27 +0800)
committerDavid S. Miller <davem@davemloft.net>
Sat, 18 Oct 2014 17:04:08 +0000 (13:04 -0400)
pskb_may_pull() maybe change skb->data and make opth pointer oboslete,
so set the opth again

Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ip6_offload.c

index 9034f76ae0138c4a201708ea15e28ba0b846247b..91014d32488ded4a7eeb0e00d27ee925bc48f8da 100644 (file)
@@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
                if (unlikely(!pskb_may_pull(skb, len)))
                        break;
 
+               opth = (void *)skb->data;
                proto = opth->nexthdr;
                __skb_pull(skb, len);
        }