[PATCH] Signed-off-by: Peter Kosyh <p.kosyh@xxxxxxxxx>

From: Peter Kosyh
Date: Thu Jul 18 2019 - 05:42:50 EST


vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing
using ip/ipv6 addresses, but don't make sure the header is available in
skb->data[] (skb_headlen() is less then header size).

The situation may occures while forwarding from MPLS layer to vrf, for
example.

So, this patch adds pskb_may_pull() calls in is_ip_tx_frame(), just before
call to vrf_process_... functions.

Signed-off-by: Peter Kosyh <p.kosyh@xxxxxxxxx>
---
drivers/net/vrf.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 54edf8956a25..d552f29a58d1 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -292,13 +292,16 @@ static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev)
{
switch (skb->protocol) {
case htons(ETH_P_IP):
+ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr))
+ break;
return vrf_process_v4_outbound(skb, dev);
case htons(ETH_P_IPV6):
+ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr))
+ break;
return vrf_process_v6_outbound(skb, dev);
- default:
- vrf_tx_error(dev, skb);
- return NET_XMIT_DROP;
}
+ vrf_tx_error(dev, skb);
+ return NET_XMIT_DROP;
}

static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev)
--
2.11.0