[IPV4] raw: Strengthen check on validity of iph->ihl

[ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@kernel.org>
author: Herbert Xu <herbert@gondor.apana.org.au> 2008-01-16 01:21:00 +0200
committer: Adrian Bunk <bunk@kernel.org> 2008-01-16 01:21:00 +0200
commit: d97b07efe475fc99271820c8c45db3092c99774d (patch)
tree: 05852ebf3e079ee0f07dfb6ef9fa87e68c00141b
parent: f9fdf12742cdc18ca30ff6c3bec3bf1748deffa7 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index f29a12da5109..0802f56fd9ea 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -271,6 +271,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
 	int hh_len;
 	struct iphdr *iph;
 	struct sk_buff *skb;
+	unsigned int iphlen;
 	int err;
 
 	if (length > rt->u.dst.dev->mtu) {
@@ -302,7 +303,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
 		goto error_fault;
 
 	/* We don't modify invalid header */
-	if (length >= sizeof(*iph) && iph->ihl * 4U <= length) {
+	iphlen = iph->ihl * 4;
+	if (iphlen >= sizeof(*iph) && iphlen <= length) {
 		if (!iph->saddr)
 			iph->saddr = rt->rt_src;
 		iph->check   = 0;
author	Herbert Xu <herbert@gondor.apana.org.au>	2008-01-16 01:21:00 +0200
committer	Adrian Bunk <bunk@kernel.org>	2008-01-16 01:21:00 +0200
commit	d97b07efe475fc99271820c8c45db3092c99774d (patch)
tree	05852ebf3e079ee0f07dfb6ef9fa87e68c00141b
parent	f9fdf12742cdc18ca30ff6c3bec3bf1748deffa7 (diff)