| From 7562ef435a00b50b3764b137b22eb2e883289ea3 Mon Sep 17 00:00:00 2001 |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| Date: Mon, 5 Jul 2010 21:29:28 +0000 |
| Subject: bridge: Clear IPCB before possible entry into IP stack |
| |
| |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| |
| [ Upstream commit 17762060c25590bfddd68cc1131f28ec720f405f ] |
| |
| The bridge protocol lives dangerously by having incestuous relations |
| with the IP stack. In this instance an abomination has been created |
| where a bogus IPCB area from a bridged packet leads to a crash in |
| the IP stack because it's interpreted as IP options. |
| |
| This patch papers over the problem by clearing the IPCB area in that |
| particular spot. To fix this properly we'd also need to parse any |
| IP options if present but I'm way too lazy for that. |
| |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| net/bridge/br_netfilter.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/bridge/br_netfilter.c |
| +++ b/net/bridge/br_netfilter.c |
| @@ -600,6 +600,9 @@ static unsigned int br_nf_pre_routing(un |
| |
| pskb_trim_rcsum(skb, len); |
| |
| + /* BUG: Should really parse the IP options here. */ |
| + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); |
| + |
| nf_bridge_put(skb->nf_bridge); |
| if (!nf_bridge_alloc(skb)) |
| return NF_DROP; |