[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 2a1e7e45b890ff9eccb841c3271b3b09e52c8305..d88cab7b973f2dc6d50108b88b42eccf6e42b974 100644 (file)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -489,6 +489,18 @@ int ipv6_parse_hopopts(struct sk_buff *skb, int nhoff)
 {
        struct inet6_skb_parm *opt = IP6CB(skb);
 
+       /*
+        * skb->nh.raw is equal to skb->data, and
+        * skb->h.raw - skb->nh.raw is always equal to
+        * sizeof(struct ipv6hdr) by definition of
+        * hop-by-hop options.
+        */
+       if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) ||
+           !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) {
+               kfree_skb(skb);
+               return -1;
+       }
+
        opt->hop = sizeof(struct ipv6hdr);
        if (ip6_parse_tlv(tlvprochopopt_lst, skb)) {
                skb->h.raw += (skb->h.raw[1]+1)<<3;