[PATCH 4.4 03/20] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()

From: Greg Kroah-Hartman
Date: Thu Feb 16 2017 - 13:07:36 EST


4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>


[ Upstream commit 63117f09c768be05a0bf465911297dc76394f686 ]

Casting is a high precedence operation but "off" and "i" are in terms of
bytes so we need to have some parenthesis here.

Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -520,7 +520,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
if (i + sizeof(*tel) > optlen)
break;

- tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)