From: Emmanuel Grumbach Date: Fri, 28 Jan 2022 12:30:54 +0000 (+0200) Subject: iwlwifi: mei: fix the pskb_may_pull check in ipv4 X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=e1849784de9b75519f972abd22fb7e9e7bd7f992;p=linux.git iwlwifi: mei: fix the pskb_may_pull check in ipv4 The check makes sure that we can look at the ip header. We first need to check that the basic ip header (20 bytes) can be pulled before we look at the field that will teach us how long is the ip header. This is why there are two checks. The second check was wrong and smatch pointed that sizeof(ip_hdrlen(skb) - sizeof(*iphdr)) can't be right. Looking at the code again made me think that we really need ip_hdrlen(skb) since we want to make sure all the IP header is in the buffer header. This will allow us to set the transport offset and from there to look at the transport header (TCP / UDP). Reported-by: Dan Carpenter Signed-off-by: Emmanuel Grumbach Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20220128142706.6d9fcf82691e.I449b1e21c5b5478f2ac218522570479918f49f9d@changeid --- diff --git a/drivers/net/wireless/intel/iwlwifi/mei/net.c b/drivers/net/wireless/intel/iwlwifi/mei/net.c index 5f966af697200..468102a95e1b9 100644 --- a/drivers/net/wireless/intel/iwlwifi/mei/net.c +++ b/drivers/net/wireless/intel/iwlwifi/mei/net.c @@ -195,8 +195,7 @@ static bool iwl_mei_rx_filter_ipv4(struct sk_buff *skb, bool match; if (!pskb_may_pull(skb, skb_network_offset(skb) + sizeof(*iphdr)) || - !pskb_may_pull(skb, skb_network_offset(skb) + - sizeof(ip_hdrlen(skb) - sizeof(*iphdr)))) + !pskb_may_pull(skb, skb_network_offset(skb) + ip_hdrlen(skb))) return false; iphdrlen = ip_hdrlen(skb);