diff options
| author | Jamie Bainbridge <jbainbri@redhat.com> | 2017-04-26 10:43:27 +1000 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-07-04 12:11:28 +0200 |
| commit | ee26c6ea4c821b5d572c0808d3d5aafb6cf8cca9 (patch) | |
| tree | d3f5eb5c9ba7d46f438842889547e200b5c1cabd | |
| parent | a4547d686a1ce67dab20948bc1a6d64e04b92a07 (diff) | |
ipv6: check raw payload size correctly in ioctl
commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 upstream.
In situations where an skb is paged, the transport header pointer and
tail pointer can be the same because the skb contents are in frags.
This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
length of 0 when the length to receive is actually greater than zero.
skb->len is already correctly set in ip6_input_finish() with
pskb_pull(), so use skb->len as it always returns the correct result
for both linear and paged data.
Signed-off-by: Jamie Bainbridge <jbainbri@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | net/ipv6/raw.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index f7d3f2429..22e92b0e6 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -1138,7 +1138,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg) spin_lock_bh(&sk->sk_receive_queue.lock); skb = skb_peek(&sk->sk_receive_queue); if (skb != NULL) - amount = skb->tail - skb->transport_header; + amount = skb->len; spin_unlock_bh(&sk->sk_receive_queue.lock); return put_user(amount, (int __user *)arg); } |