Commit aa867359 authored by David S. Miller's avatar David S. Miller

llc: Fix length check in llc_fixup_skb().

Fixes bugzilla #32872

The LLC stack pretends to support non-linear skbs but there is a
direct use of skb_tail_pointer() in llc_fixup_skb().

Use pskb_may_pull() to see if data_size bytes remain and can be
accessed linearly in the packet, instead of direct pointer checks.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4a9f65f6
...@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb) ...@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
s32 data_size = ntohs(pdulen) - llc_len; s32 data_size = ntohs(pdulen) - llc_len;
if (data_size < 0 || if (data_size < 0 ||
((skb_tail_pointer(skb) - !pskb_may_pull(skb, data_size))
(u8 *)pdu) - llc_len) < data_size)
return 0; return 0;
if (unlikely(pskb_trim_rcsum(skb, data_size))) if (unlikely(pskb_trim_rcsum(skb, data_size)))
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment