summaryrefslogtreecommitdiff
path: root/net/ipv6
diff options
context:
space:
mode:
authorLi RongQing <roy.qing.li@gmail.com>2014-10-18 17:27:42 +0800
committerDavid S. Miller <davem@davemloft.net>2014-10-18 13:04:08 -0400
commitfc6fb41cd64fd810bcc69fe9776d2f500778f38f (patch)
tree8814838d267283327e457d54ff7cfe99fee57f76 /net/ipv6
parentb4e3cef703fb21b26db053a770900f2bd910638b (diff)
ipv6: fix a potential use after free in ip6_offload.c
pskb_may_pull() maybe change skb->data and make opth pointer oboslete, so set the opth again Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/ip6_offload.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 9034f76ae013..91014d32488d 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
if (unlikely(!pskb_may_pull(skb, len)))
break;
+ opth = (void *)skb->data;
proto = opth->nexthdr;
__skb_pull(skb, len);
}