[ATM]: Check IP header validity in mpc_send_packet

Al went through the ip_fast_csum callers and found this piece of code
that did not validate the IP header.  While root crashing the machine
by sending bogus packets through raw or AF_PACKET sockets isn't that
serious, it is still nice to react gracefully.

This patch ensures that the skb has enough data for an IP header and
that the header length field is valid.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 2086396de177557a71d9e1da1a7c52bf218ae359..9c7f712fc7e9c331e4dcd3c3b1d9c0fbdae3b01b 100644 (file)
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -542,6 +542,13 @@ static int mpc_send_packet(struct sk_buff *skb, struct net_device *dev)
        if (eth->h_proto != htons(ETH_P_IP))
                goto non_ip; /* Multi-Protocol Over ATM :-) */
 
+       /* Weed out funny packets (e.g., AF_PACKET or raw). */
+       if (skb->len < ETH_HLEN + sizeof(struct iphdr))
+               goto non_ip;
+       skb_set_network_header(skb, ETH_HLEN);
+       if (skb->len < ETH_HLEN + ip_hdr(skb)->ihl * 4 || ip_hdr(skb)->ihl < 5)
+               goto non_ip;
+
        while (i < mpc->number_of_mps_macs) {
                if (!compare_ether_addr(eth->h_dest, (mpc->mps_macs + i*ETH_ALEN)))
                        if ( send_via_shortcut(skb, mpc) == 0 )           /* try shortcut */