From bbcf467dab42ea3c85f368df346c82af2fbba665 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 3 Jul 2006 19:38:35 -0700 Subject: [NET]: Verify gso_type too in gso_segment We don't want nasty Xen guests to pass a TCPv6 packet in with gso_type set to TCPv4 or even UDP (or a packet that's both TCP and UDP). Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv6/ipv6_sockglue.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'net/ipv6/ipv6_sockglue.c') diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index c28e5c28744..ec59344478d 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -64,6 +64,14 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features) struct inet6_protocol *ops; int proto; + if (unlikely(skb_shinfo(skb)->gso_type & + ~(SKB_GSO_UDP | + SKB_GSO_DODGY | + SKB_GSO_TCP_ECN | + SKB_GSO_TCPV6 | + 0))) + goto out; + if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h)))) goto out; -- cgit v1.2.3-70-g09d2 From 6703931c546e6dec0431776fa616d5accd3e7162 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 3 Jul 2006 19:41:11 -0700 Subject: [IPV6]: Fix ipv6 GSO payload length Fix ipv6 GSO payload length calculation. The ipv6 payload length excludes the ipv6 base header length and so must be subtracted. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- net/ipv6/ipv6_sockglue.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net/ipv6/ipv6_sockglue.c') diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index ec59344478d..0c17dec11c8 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -119,7 +119,8 @@ unlock: for (skb = segs; skb; skb = skb->next) { ipv6h = skb->nh.ipv6h; - ipv6h->payload_len = htons(skb->len - skb->mac_len); + ipv6h->payload_len = htons(skb->len - skb->mac_len - + sizeof(*ipv6h)); } out: -- cgit v1.2.3-70-g09d2