From: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
Date: Mon, 27 Sep 2010 23:10:42 +0000 (+0000)
Subject: Phonet: Correct header retrieval after pskb_may_pull
X-Git-Tag: v2.6.33.8~448
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6d37e73dcf0ba416ccf98fb4edc84509d097a1c;p=thirdparty%2Fkernel%2Fstable.git

Phonet: Correct header retrieval after pskb_may_pull

[ Upstream commit a91e7d471e2e384035b9746ea707ccdcd353f5dd ]

Retrieve the header after doing pskb_may_pull since, pskb_may_pull
could change the buffer structure.

This is based on the comment given by Eric Dumazet on Phonet
Pipe controller patch for a similar problem.

Signed-off-by: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index b6356f3832f6e..c66c3481f7751 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -224,12 +224,13 @@ static void pipe_grant_credits(struct sock *sk)
 static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
 {
 	struct pep_sock *pn = pep_sk(sk);
-	struct pnpipehdr *hdr = pnp_hdr(skb);
+	struct pnpipehdr *hdr;
 	int wake = 0;
 
 	if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
 		return -EINVAL;
 
+	hdr = pnp_hdr(skb);
 	if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
 		LIMIT_NETDEBUG(KERN_DEBUG"Phonet unknown PEP type: %u\n",
 				(unsigned)hdr->data[0]);