dccp: Add check for truncated ICMPv6 DCCP error packets
authorWei Yongjun <yjwei@cn.fujitsu.com>
Sat, 26 Jul 2008 10:59:11 +0000 (11:59 +0100)
committerGerrit Renker <gerrit@erg.abdn.ac.uk>
Sat, 26 Jul 2008 10:59:11 +0000 (11:59 +0100)
This patch adds a minimum-length check for ICMPv6 packets, as per the previous
patch for ICMPv4 payloads.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
net/dccp/ipv6.c

index 25826b1bf68516ba8d30b89283aeb7554f8e4c70..5e1ee0da2c40cab9c7f44ffd431e4df4455e08f5 100644 (file)
@@ -96,6 +96,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        __u64 seq;
        struct net *net = dev_net(skb->dev);
 
+       if (skb->len < offset + sizeof(*dh) ||
+           skb->len < offset + __dccp_basic_hdr_len(dh)) {
+               ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
+               return;
+       }
+
        sk = inet6_lookup(net, &dccp_hashinfo,
                        &hdr->daddr, dh->dccph_dport,
                        &hdr->saddr, dh->dccph_sport, inet6_iif(skb));