From: Eric Dumazet Date: Thu, 4 Apr 2013 15:41:27 +0000 (+0000) Subject: ip_gre: fix a possible crash in parse_gre_header() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=22251c73ca63b5b1050724be9b54910c101a5f30;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git ip_gre: fix a possible crash in parse_gre_header() pskb_may_pull() can change skb->head, so we must init iph/greh after calling it. Bug added in commit c54419321455 (GRE: Refactor GRE tunneling code.) Signed-off-by: Eric Dumazet Cc: Pravin B Shelar Signed-off-by: David S. Miller --- diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index e5dfd2843f2..987a4e5e07e 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -159,14 +159,14 @@ static int ip_gre_calc_hlen(__be16 o_flags) static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, bool *csum_err, int *hdr_len) { - struct iphdr *iph = ip_hdr(skb); - struct gre_base_hdr *greh; + unsigned int ip_hlen = ip_hdrlen(skb); + const struct gre_base_hdr *greh; __be32 *options; if (unlikely(!pskb_may_pull(skb, sizeof(struct gre_base_hdr)))) return -EINVAL; - greh = (struct gre_base_hdr *)((u8 *)iph + (iph->ihl << 2)); + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); if (unlikely(greh->flags & (GRE_VERSION | GRE_ROUTING))) return -EINVAL; @@ -176,6 +176,8 @@ static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!pskb_may_pull(skb, *hdr_len)) return -EINVAL; + greh = (struct gre_base_hdr *)(skb_network_header(skb) + ip_hlen); + tpi->proto = greh->protocol; options = (__be32 *)(greh + 1);