Hello,
On Fri, 25 Oct 2013, Daniel Borkmann wrote:
> If skb_header_pointer() fails, we need to assign a verdict, that is
> NF_DROP in this case, otherwise, we would leave the verdict from
> conn_schedule() uninitialized when returning.
>
> Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
Looks good,
Acked-by: Julian Anastasov <ja@xxxxxx>
> ---
> net/netfilter/ipvs/ip_vs_proto_sctp.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> index 23e596e..9ca7aa0 100644
> --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
> +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
> @@ -20,13 +20,18 @@ sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
> sctp_sctphdr_t *sh, _sctph;
>
> sh = skb_header_pointer(skb, iph->len, sizeof(_sctph), &_sctph);
> - if (sh == NULL)
> + if (sh == NULL) {
> + *verdict = NF_DROP;
> return 0;
> + }
>
> sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t),
> sizeof(_schunkh), &_schunkh);
> - if (sch == NULL)
> + if (sch == NULL) {
> + *verdict = NF_DROP;
> return 0;
> + }
> +
> net = skb_net(skb);
> ipvs = net_ipvs(net);
> rcu_read_lock();
> --
> 1.7.11.7
Regards
--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
