[IPX]: Another nonlinear receive fix

Need to check some more cases in IPX receive.  If the skb is purely
fragments, the IPX header needs to be extracted. The function
pskb_may_pull() may in theory invalidate all the pointers in the skb,
so references to ipx header must be refreshed.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>

diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 30eaeb2b33a4b26ecd6714e1fb070546c576195a..fb815541fa215053ff6a02830562b9f7758427a8 100644 (file)
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1643,14 +1643,17 @@ static int ipx_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty
        if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
                goto out;
 
-       ipx             = ipx_hdr(skb);
-       ipx_pktsize     = ntohs(ipx->ipx_pktsize);
+       if (!pskb_may_pull(skb, sizeof(struct ipxhdr)))
+               goto drop;
+
+       ipx_pktsize = ntohs(ipxhdr(skb)->ipx_pktsize);
        
        /* Too small or invalid header? */
        if (ipx_pktsize < sizeof(struct ipxhdr) ||
            !pskb_may_pull(skb, ipx_pktsize))
                goto drop;
                         
+       ipx = ipx_hdr(skb);
        if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&
           ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize))
                goto drop;