[v5 PATCH 01/14] xfrm: ipcomp: Call pskb_may_pull in ipcomp_input

Herbert Xu herbert at gondor.apana.org.au
Sat Mar 15 03:30:19 PDT 2025


If a malformed packet is received there may not be enough data
to pull.  This isn't a problem in practice because the caller
has already done xfrm_parse_spi which in effect does the same
thing.

Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
---
 net/xfrm/xfrm_ipcomp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index 9c0fa0e1786a..43eae94e4b0e 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -97,6 +97,9 @@ int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
 	int err = -ENOMEM;
 	struct ip_comp_hdr *ipch;
 
+	if (!pskb_may_pull(skb, sizeof(*ipch)))
+		return -EINVAL;
+
 	if (skb_linearize_cow(skb))
 		goto out;
 
-- 
2.39.5




More information about the linux-mtd mailing list