From 4cee0d814d080df05e8f72320409b275da7f64d9 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Fri, 11 Jan 2008 01:09:46 -0800 Subject: IPV4 raw: Strengthen check on validity of iph->ihl [IPV4] raw: Strengthen check on validity of iph->ihl [ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/raw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index c6d71526f62..b45a6109748 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -270,6 +270,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length, int hh_len; struct iphdr *iph; struct sk_buff *skb; + unsigned int iphlen; int err; if (length > rt->u.dst.dev->mtu) { @@ -303,7 +304,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length, goto error_fault; /* We don't modify invalid header */ - if (length >= sizeof(*iph) && iph->ihl * 4U <= length) { + iphlen = iph->ihl * 4; + if (iphlen >= sizeof(*iph) && iphlen <= length) { if (!iph->saddr) iph->saddr = rt->rt_src; iph->check = 0; -- cgit v1.2.3-18-g5258