[IPV4] raw: Strengthen check on validity of iph->ihl

[ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ]

We currently check that iph->ihl is bounded by the real length and that
the real length is greater than the minimum IP header length.  However,
we did not check the caes where iph->ihl is less than the minimum IP
header length.

This breaks because some ip_fast_csum implementations assume that which
is quite reasonable.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index f29a12da5109d91a9a9dfebd318c2b1aa5a63b94..0802f56fd9ea99bc6c98f39e74f52e1807e8ee87 100644 (file)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -271,6 +271,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
        int hh_len;
        struct iphdr *iph;
        struct sk_buff *skb;
+       unsigned int iphlen;
        int err;
 
        if (length > rt->u.dst.dev->mtu) {
@@ -302,7 +303,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
                goto error_fault;
 
        /* We don't modify invalid header */
-       if (length >= sizeof(*iph) && iph->ihl * 4U <= length) {
+       iphlen = iph->ihl * 4;
+       if (iphlen >= sizeof(*iph) && iphlen <= length) {
                if (!iph->saddr)
                        iph->saddr = rt->rt_src;
                iph->check   = 0;