From d8ca2ec22d949461cdbdb65016b2204b5a2d6c6d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 19 Jan 2013 20:07:53 +0000 Subject: [PATCH] bridge: Pull ip header into skb->data before looking into ip header. (Closes: #697903) svn path=/dists/sid/linux/; revision=19754 --- debian/changelog | 2 ++ ...eader-into-skb-data-before-looking-i.patch | 30 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 33 insertions(+) create mode 100644 debian/patches/bugfix/all/bridge-Pull-ip-header-into-skb-data-before-looking-i.patch diff --git a/debian/changelog b/debian/changelog index 2f82ca248..dbc90bf1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -91,6 +91,8 @@ linux (3.2.37-1) UNRELEASED; urgency=low - sched: Queue RT tasks to head when prio drops - sched: Consider pi boosting in setscheduler * [s390] s390/time: fix sched_clock() overflow (Closes: #698382) + * bridge: Pull ip header into skb->data before looking into ip header. + (Closes: #697903) [ Aurelien Jarno ] * [armhf/vexpress] Add kernel udebs. diff --git a/debian/patches/bugfix/all/bridge-Pull-ip-header-into-skb-data-before-looking-i.patch b/debian/patches/bugfix/all/bridge-Pull-ip-header-into-skb-data-before-looking-i.patch new file mode 100644 index 000000000..7c0d318ac --- /dev/null +++ b/debian/patches/bugfix/all/bridge-Pull-ip-header-into-skb-data-before-looking-i.patch @@ -0,0 +1,30 @@ +From: Sarveshwar Bandi +Date: Wed, 10 Oct 2012 01:15:01 +0000 +Subject: bridge: Pull ip header into skb->data before looking into ip header. + +commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 upstream. + +If lower layer driver leaves the ip header in the skb fragment, it needs to +be first pulled into skb->data before inspecting ip header length or ip version +number. + +Signed-off-by: Sarveshwar Bandi +Signed-off-by: David S. Miller +--- + net/bridge/br_netfilter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c +index 68e8f36..fe43bc7 100644 +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -265,6 +265,9 @@ static int br_parse_ip_options(struct sk_buff *skb) + struct net_device *dev = skb->dev; + u32 len; + ++ if (!pskb_may_pull(skb, sizeof(struct iphdr))) ++ goto inhdr_error; ++ + iph = ip_hdr(skb); + opt = &(IPCB(skb)->opt); + diff --git a/debian/patches/series b/debian/patches/series index 3c499daa9..afd9d1470 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -467,3 +467,4 @@ bugfix/all/vt6656-Fix-inconsistent-structure-packing.patch bugfix/all/fs-cachefiles-add-support-for-large-files-in-filesys.patch bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch bugfix/s390/s390-time-fix-sched_clock-overflow.patch +bugfix/all/bridge-Pull-ip-header-into-skb-data-before-looking-i.patch