Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / e5a498e943fbc497f236ab8cf31366c75f337ce6^! / . / drivers / net / ethernet / sfc / ptp.c
commite5a498e943fbc497f236ab8cf31366c75f337ce6[log] [tgz]
authorBen Hutchings <bhutchings@solarflare.com>Fri Dec 06 19:26:40 2013 +0000
committerBen Hutchings <bhutchings@solarflare.com>Fri Dec 06 20:41:22 2013 +0000
treef608e770abc0d83bdf402c2e9e6b97ad1b9dbdb0
parente1ca87bb1b64b044163e686ff3bb71405156c561 [diff] [blame]
sfc: Add length checks to efx_xmit_with_hwtstamp() and efx_ptp_is_ptp_tx()

efx_ptp_is_ptp_tx() must be robust against skbs from raw sockets that
have invalid IPv4 and UDP headers.

Add checks that:
- the transport header has been found
- there is enough space between network and transport header offset
  for an IPv4 header
- there is enough space after the transport header offset for a
  UDP header

Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP')
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
index 03acf57..93a61a1 100644
--- a/drivers/net/ethernet/sfc/ptp.c
+++ b/drivers/net/ethernet/sfc/ptp.c

@@ -989,7 +989,11 @@
 		skb->len >= PTP_MIN_LENGTH &&
 		skb->len <= MC_CMD_PTP_IN_TRANSMIT_PACKET_MAXNUM &&
 		likely(skb->protocol == htons(ETH_P_IP)) &&
+		skb_transport_header_was_set(skb) &&
+		skb_network_header_len(skb) >= sizeof(struct iphdr) &&
 		ip_hdr(skb)->protocol == IPPROTO_UDP &&
+		skb_headlen(skb) >=
+		skb_transport_offset(skb) + sizeof(struct udphdr) &&
 		udp_hdr(skb)->dest == htons(PTP_EVENT_PORT);
 }