Commit 3de33e1b authored by Stefano Brivio's avatar Stefano Brivio Committed by David S. Miller

ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()

A packet length of exactly IPV6_MAXPLEN is allowed, we should
refuse parsing options only if the size is 64KiB or more.

While at it, remove one extra variable and one assignment which
were also introduced by the commit that introduced the size
check. Checking the sum 'offset + len' and only later adding
'len' to 'offset' doesn't provide any advantage over directly
summing to 'offset' and checking it.

Fixes: 6399f1fa ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6470812e
...@@ -86,7 +86,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) ...@@ -86,7 +86,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
while (offset <= packet_len) { while (offset <= packet_len) {
struct ipv6_opt_hdr *exthdr; struct ipv6_opt_hdr *exthdr;
unsigned int len;
switch (**nexthdr) { switch (**nexthdr) {
...@@ -112,10 +111,9 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) ...@@ -112,10 +111,9 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset); offset);
len = ipv6_optlen(exthdr); offset += ipv6_optlen(exthdr);
if (len + offset >= IPV6_MAXPLEN) if (offset > IPV6_MAXPLEN)
return -EINVAL; return -EINVAL;
offset += len;
*nexthdr = &exthdr->nexthdr; *nexthdr = &exthdr->nexthdr;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment