| From 63117f09c768be05a0bf465911297dc76394f686 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 1 Feb 2017 11:46:32 +0300 |
| Subject: [PATCH] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() |
| |
| commit 63117f09c768be05a0bf465911297dc76394f686 upstream. |
| |
| Casting is a high precedence operation but "off" and "i" are in terms of |
| bytes so we need to have some parenthesis here. |
| |
| Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| |
| diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
| index ff8ee06491c3..75fac933c209 100644 |
| --- a/net/ipv6/ip6_tunnel.c |
| +++ b/net/ipv6/ip6_tunnel.c |
| @@ -441,7 +441,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) |
| if (i + sizeof(*tel) > optlen) |
| break; |
| |
| - tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i; |
| + tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i); |
| /* return index of option if found and valid */ |
| if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT && |
| tel->length == 1) |
| -- |
| 2.12.0 |
| |
