From: Eric Dumazet <edumazet@google.com>
Date: Tue, 24 Jan 2017 00:43:06 +0000 (-0800)
Subject: ipv6: fix ip6_tnl_parse_tlv_enc_lim()
X-Git-Tag: v3.2.87~16
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6f6bb6bc04a5f88a31f47a6123d3fbf5ee8d694;p=pandora-kernel.git

ipv6: fix ip6_tnl_parse_tlv_enc_lim()

[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]

This function suffers from multiple issues.

First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.

Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.

With help from Willem de Bruijn.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed