Skip to content
Commit 4a06fa67 authored by Willem de Bruijn's avatar Willem de Bruijn Committed by David S. Miller
Browse files

ip: on queued skb use skb_header_pointer instead of pskb_may_pull 

Commit 2efd4fca ("ip: in cmsg IP(V6)_ORIGDSTADDR call
pskb_may_pull") avoided a read beyond the end of the skb linear
segment by calling pskb_may_pull.

That function can trigger a BUG_ON in pskb_expand_head if the skb is
shared, which it is when when peeking. It can also return ENOMEM.

Avoid both by switching to safer skb_header_pointer.

Fixes: 2efd4fca

 ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Suggested-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0b7959b6
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment