From: Li RongQing <roy.qing.li@gmail.com>
Date: Fri, 17 Oct 2014 08:53:47 +0000 (+0800)
Subject: ipv4: fix a potential use after free in fou.c
X-Git-Tag: Ubuntu-5.10.0-12.13~16038^2~9
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=d8f00d27105a1553a13d4a96c3eb4544f70ca908;p=mirror_ubuntu-hirsute-kernel.git

ipv4: fix a potential use after free in fou.c

pskb_may_pull() maybe change skb->data and make uh pointer oboslete,
so reload uh and guehdr

Fixes: 37dd0247 ("gue: Receive side for Generic UDP Encapsulation")
Cc: Tom Herbert <therbert@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index efa70ad44906..32e78924e246 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -87,6 +87,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
 	if (!pskb_may_pull(skb, len))
 		goto drop;
 
+	uh = udp_hdr(skb);
+	guehdr = (struct guehdr *)&uh[1];
+
 	if (guehdr->version != 0)
 		goto drop;