net: skbuff: ensure LSE is pullable before decrementing the MPLS ttl
[ Upstream commit13de4ed9e3
] skb_mpls_dec_ttl() reads the LSE without ensuring that it is contained in the skb "linear" area. Fix this calling pskb_may_pull() before reading the current ttl. Found by code inspection. Fixes:2a2ea50870
("net: sched: add mpls manipulation actions to TC") Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Davide Caratti <dcaratti@redhat.com> Link: https://lore.kernel.org/r/53659f28be8bc336c113b5254dc637cc76bbae91.1606987074.git.dcaratti@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
892e08e0b4
commit
ba203b92a8
|
@ -5618,6 +5618,9 @@ int skb_mpls_dec_ttl(struct sk_buff *skb)
|
||||||
if (unlikely(!eth_p_mpls(skb->protocol)))
|
if (unlikely(!eth_p_mpls(skb->protocol)))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry);
|
lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry);
|
||||||
ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
|
ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
|
||||||
if (!--ttl)
|
if (!--ttl)
|
||||||
|
|
Loading…
Reference in New Issue