From: Patrick McHardy Date: Wed, 11 Jul 2007 06:06:43 +0000 (-0700) Subject: [UDP]: Fix length check. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3be550f34b03e5eb762f74d447ebbeba97efbd6d;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [UDP]: Fix length check. RĂ©mi Denis-Courmont wrote: > Right. By the way, shouldn't "len" rather be signed in there? > > unsigned int len; > > /* if we're overly short, let UDP handle it */ > len = skb->len - sizeof(struct udphdr); > if (len <= 0) > goto udp; It should, but the < 0 case can't happen since __udp4_lib_rcv already makes sure that we have at least a complete UDP header. Anyways, this patch fixes it. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 4ec4a25a8d0c..28355350fb62 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -951,14 +951,10 @@ int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) * >0 if skb should be passed on to UDP. * <0 if skb should be resubmitted as proto -N */ - unsigned int len; /* if we're overly short, let UDP handle it */ - len = skb->len - sizeof(struct udphdr); - if (len <= 0) - goto udp; - - if (up->encap_rcv != NULL) { + if (skb->len > sizeof(struct udphdr) && + up->encap_rcv != NULL) { int ret; ret = (*up->encap_rcv)(sk, skb); @@ -971,7 +967,6 @@ int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) /* FALLTHROUGH -- it's a UDP Packet */ } -udp: /* * UDP-Lite specific tests, ignored on UDP sockets */