cls_rsvp: add sanity check for the packet length

The packet length should be checked before the packet data is dereferenced.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index dd9414e442008cd88a218d1339be4a6540e8dac0..425a1790b0480327b1ae9d2c4e1adec0a132a686 100644 (file)
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
        u8 tunnelid = 0;
        u8 *xprt;
 #if RSVP_DST_LEN == 4
-       struct ipv6hdr *nhptr = ipv6_hdr(skb);
+       struct ipv6hdr *nhptr;
+
+       if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+               return -1;
+       nhptr = ipv6_hdr(skb);
 #else
-       struct iphdr *nhptr = ip_hdr(skb);
+       struct iphdr *nhptr;
+
+       if (!pskb_network_may_pull(skb, sizeof(*nhptr)))
+               return -1;
+       nhptr = ip_hdr(skb);
 #endif
 
 restart: