diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-07-06 16:46:57 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-07-06 16:46:57 -0700 |
| commit | eeaecb8619fb679006ab24a11ed292e37c74703c (patch) | |
| tree | 13e8028af87707eedb938a0f4937aa9e74f1a313 /net/ipv6/xfrm6_policy.c | |
| parent | dc53fffc105f68cb08ca872acd51550e89aa2e67 (diff) | |
| parent | 0ca1b08eba627b4245efd0f71b55a062bf163777 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (39 commits)
Revert "p54: Use SKB list handling helpers instead of by-hand code."
sctp: fix warning at inet_sock_destruct() while release sctp socket
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
dsa: fix 88e6xxx statistics counter snapshotting
forcedeth: Fix NAPI race.
drivers/net/smsc911x.c: Fix resource size off by 1 error
pcnet_cs: add new id
bnx2x: Fix the maximal values of coalescing timeouts.
bnx2x: Disable HC coalescing when setting timeout to zero.
tun: Fix device unregister race
be2net: fix spurious interrupt handling in intx mode
e1000e: disable K1 at 1000Mbps for 82577/82578
e1000e: delay second read of PHY_STATUS register on failure of first read
e1000e: prevent NVM corruption on sectors larger than 4K
e1000e: do not write SmartSpeed register bits on parts without support
e1000e: delay after LCD reset and proper checks for PHY configuration done
e1000e: PHY loopback broken on 82578
ixgbe: Not allow 8259x unsupported wol options change from ethtool
ixgbe: fix inconsistent SFP/SFP+ failure results.
ixgbe: fix regression on some 82598 adapters
...
Diffstat (limited to 'net/ipv6/xfrm6_policy.c')
| -rw-r--r-- | net/ipv6/xfrm6_policy.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index b4b16a43f277..3a3c677bc0f2 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -157,7 +157,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); - while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { + while (nh + offset + 1 < skb->data || + pskb_may_pull(skb, nh + offset + 1 - skb->data)) { nh = skb_network_header(skb); exthdr = (struct ipv6_opt_hdr *)(nh + offset); @@ -177,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_TCP: case IPPROTO_SCTP: case IPPROTO_DCCP: - if (!onlyproto && pskb_may_pull(skb, nh + offset + 4 - skb->data)) { + if (!onlyproto && (nh + offset + 4 < skb->data || + pskb_may_pull(skb, nh + offset + 4 - skb->data))) { __be16 *ports = (__be16 *)exthdr; fl->fl_ip_sport = ports[!!reverse]; |