leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

udp: ipv4: fix potential use after free in udp_v4_early_demux()

Browse Source 
pskb_may_pull() can reallocate skb->head, we need to move the
initialization of iph and uh pointers after its call.

Fixes: 421b3885bf ("udp: ipv4: Add udp early demux")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2013-12-11 08:10:05 -08:00 committed by David S. Miller
parent ce232ce01d
commit 610438b744
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
net/ipv4/udp.c
View File

@ -1909,17 +1909,20 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
void udp_v4_early_demux(struct sk_buff *skb) void udp_v4_early_demux(struct sk_buff *skb)
{ {
const struct iphdr *iph = ip_hdr(skb); struct net *net = dev_net(skb->dev);
const struct udphdr *uh = udp_hdr(skb); const struct iphdr *iph;
const struct udphdr *uh;
struct sock *sk; struct sock *sk;
struct dst_entry *dst; struct dst_entry *dst;
struct net *net = dev_net(skb->dev);
int dif = skb->dev->ifindex; int dif = skb->dev->ifindex;
/* validate the packet */ /* validate the packet */
if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr))) if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))
return; return;
iph = ip_hdr(skb);
uh = udp_hdr(skb);
if (skb->pkt_type == PACKET_BROADCAST || if (skb->pkt_type == PACKET_BROADCAST ||
skb->pkt_type == PACKET_MULTICAST) skb->pkt_type == PACKET_MULTICAST)
sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr, sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,