Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753644AbdFSSh3 (ORCPT + 2 others); Mon, 19 Jun 2017 14:37:29 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:52484 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753099AbdFSShZ (ORCPT ); Mon, 19 Jun 2017 14:37:25 -0400 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Jamie Bainbridge , Willy Tarreau Subject: [PATCH 3.10 265/268] ipv6: check raw payload size correctly in ioctl Date: Mon, 19 Jun 2017 20:32:44 +0200 Message-Id: <1497897167-14556-266-git-send-email-w@1wt.eu> X-Mailer: git-send-email 2.8.0.rc2.1.gbe9624a In-Reply-To: <1497897167-14556-1-git-send-email-w@1wt.eu> References: <1497897167-14556-1-git-send-email-w@1wt.eu> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: From: Jamie Bainbridge commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 upstream. In situations where an skb is paged, the transport header pointer and tail pointer can be the same because the skb contents are in frags. This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a length of 0 when the length to receive is actually greater than zero. skb->len is already correctly set in ip6_input_finish() with pskb_pull(), so use skb->len as it always returns the correct result for both linear and paged data. Signed-off-by: Jamie Bainbridge Signed-off-by: Willy Tarreau --- net/ipv6/raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 989bd79..c7ce2be 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -1133,7 +1133,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg) spin_lock_bh(&sk->sk_receive_queue.lock); skb = skb_peek(&sk->sk_receive_queue); if (skb != NULL) - amount = skb->tail - skb->transport_header; + amount = skb->len; spin_unlock_bh(&sk->sk_receive_queue.lock); return put_user(amount, (int __user *)arg); } -- 2.8.0.rc2.1.gbe9624a