From: David S. Miller Date: Tue, 12 Apr 2011 01:59:05 +0000 (-0700) Subject: llc: Fix length check in llc_fixup_skb(). X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=aa8673599f1d269b4e4d9b0c0f61fca57bc02699;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git llc: Fix length check in llc_fixup_skb(). Fixes bugzilla #32872 The LLC stack pretends to support non-linear skbs but there is a direct use of skb_tail_pointer() in llc_fixup_skb(). Use pskb_may_pull() to see if data_size bytes remain and can be accessed linearly in the packet, instead of direct pointer checks. Signed-off-by: David S. Miller --- diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c index 058f1e9a9128..903242111317 100644 --- a/net/llc/llc_input.c +++ b/net/llc/llc_input.c @@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb) s32 data_size = ntohs(pdulen) - llc_len; if (data_size < 0 || - ((skb_tail_pointer(skb) - - (u8 *)pdu) - llc_len) < data_size) + !pskb_may_pull(skb, data_size)) return 0; if (unlikely(pskb_trim_rcsum(skb, data_size))) return 0;