From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sat, 15 Mar 2025 10:30:19 +0000 (+0800)
Subject: xfrm: ipcomp: Call pskb_may_pull in ipcomp_input
X-Git-Tag: v6.15-rc1~118^2~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39a3f23407d3b6942727ae2367382b5575d995c9;p=thirdparty%2Fkernel%2Flinux.git

xfrm: ipcomp: Call pskb_may_pull in ipcomp_input

If a malformed packet is received there may not be enough data
to pull.  This isn't a problem in practice because the caller
has already done xfrm_parse_spi which in effect does the same
thing.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index 9c0fa0e1786a2..43eae94e4b0e3 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -97,6 +97,9 @@ int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
 	int err = -ENOMEM;
 	struct ip_comp_hdr *ipch;
 
+	if (!pskb_may_pull(skb, sizeof(*ipch)))
+		return -EINVAL;
+
 	if (skb_linearize_cow(skb))
 		goto out;