xfrm: ipcomp: Call pskb_may_pull in ipcomp_input

If a malformed packet is received there may not be enough data
to pull.  This isn't a problem in practice because the caller
has already done xfrm_parse_spi which in effect does the same
thing.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index 9c0fa0e1786a2d42f606e31174235b4cd8b8f400..43eae94e4b0e3f65b231cd7745d489219b075072 100644 (file)
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -97,6 +97,9 @@ int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
        int err = -ENOMEM;
        struct ip_comp_hdr *ipch;
 
+       if (!pskb_may_pull(skb, sizeof(*ipch)))
+               return -EINVAL;
+
        if (skb_linearize_cow(skb))
                goto out;