From: Willem de Bruijn <will...@google.com> Sockets can apply a filter to incoming packets to drop or trim them. Fix two codepaths that call skb_pull/__skb_pull after sk_filter without checking for packet length.
Reading beyond skb->tail after trimming happens in more codepaths, but safety of reading in the linear segment is based on minimum allocation size (MAX_HEADER, GRO_MAX_HEAD, ..). Willem de Bruijn (2): rose: limit sk_filter trim to payload dccp: limit sk_filter trim to payload include/linux/filter.h | 6 +++++- include/net/sock.h | 8 +++++++- net/core/filter.c | 10 +++++----- net/core/sock.c | 7 ++++--- net/dccp/ipv4.c | 2 +- net/dccp/ipv6.c | 2 +- net/rose/rose_in.c | 3 ++- 7 files changed, 25 insertions(+), 13 deletions(-) -- 2.8.0.rc3.226.g39d4020
