Commit ff9a57a6 authored by Linus Lüssing's avatar Linus Lüssing Committed by David S. Miller

bridge: mcast snooping, fix length check of snooped MLDv1/2

"len = ntohs(ip6h->payload_len)" does not include the length of the ipv6
header itself, which the rest of this function assumes, though.

This leads to a length check less restrictive as it should be in the
following line for one thing. For another, it very likely leads to an
integer underrun when substracting the offset and therefore to a very
high new value of 'len' due to its unsignedness. This will ultimately
lead to the pskb_trim_rcsum() practically never being called, even in
the cases where it should.
Signed-off-by: default avatarLinus Lüssing <linus.luessing@web.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fd1d9188
...@@ -1475,7 +1475,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, ...@@ -1475,7 +1475,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
ip6h->payload_len == 0) ip6h->payload_len == 0)
return 0; return 0;
len = ntohs(ip6h->payload_len); len = ntohs(ip6h->payload_len) + sizeof(*ip6h);
if (skb->len < len) if (skb->len < len)
return -EINVAL; return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment