net: sched: em_ipt: match only on ip/ipv6 traffic
authorNikolay Aleksandrov <nikolay@cumulusnetworks.com>
Thu, 27 Jun 2019 08:10:44 +0000 (11:10 +0300)
committerDavid S. Miller <davem@davemloft.net>
Sat, 29 Jun 2019 18:15:12 +0000 (11:15 -0700)
Restrict matching only to ip/ipv6 traffic and make sure we can use the
headers, otherwise matches will be attempted on any protocol which can
be unexpected by the xt matches. Currently policy supports only ipv4/6.

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/em_ipt.c

index 243fd22f22487969cebf50abe2de9cc2e16ccfe2..64dbafe4e94cfaee8ce20e27fb825e3ad1b62aad 100644 (file)
@@ -185,6 +185,19 @@ static int em_ipt_match(struct sk_buff *skb, struct tcf_ematch *em,
        struct nf_hook_state state;
        int ret;
 
+       switch (tc_skb_protocol(skb)) {
+       case htons(ETH_P_IP):
+               if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
+                       return 0;
+               break;
+       case htons(ETH_P_IPV6):
+               if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
+                       return 0;
+               break;
+       default:
+               return 0;
+       }
+
        rcu_read_lock();
 
        if (skb->skb_iif)