From 115b0aa6b444e8dd89b7f67b77b8c472763fbc1a Mon Sep 17 00:00:00 2001 From: =?utf8?q?YOSHIFUJI=20Hideaki=20/=20=E5=90=89=E8=97=A4=E8=8B=B1?= =?utf8?q?=E6=98=8E?= Date: Fri, 18 Jan 2013 02:05:03 +0000 Subject: [PATCH] ndisc: Check NS message length before access. Check message length before accessing "target" field, as we do for other types. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/ndisc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 429622d74705..350f86005c13 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -671,6 +671,11 @@ static void ndisc_recv_ns(struct sk_buff *skb) bool inc; int is_router = -1; + if (skb->len < sizeof(struct nd_msg)) { + ND_PRINTK(2, warn, "NS: packet too short\n"); + return; + } + if (ipv6_addr_is_multicast(&msg->target)) { ND_PRINTK(2, warn, "NS: multicast target address\n"); return; -- 2.20.1