Backmerge tag 'v5.13-rc7' into drm-next

Backmerge Linux 5.13-rc7 to make some pulls from later bases apply, and to bake in the conflicts so far.
author: Dave Airlie <airlied@redhat.com> 2021-06-23 10:07:48 +1000
committer: Dave Airlie <airlied@redhat.com> 2021-06-23 10:07:48 +1000
commit: f45fbbb6d5cff29ddfc708676ec1c2496eed3a07 (patch)
tree: 5496fee9f6b10da368aa49b03612061156e42d2f /net/netfilter/nf_synproxy_core.c
parent: Merge tag 'amd-drm-next-5.14-2021-06-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-next (diff)
parent: Linux 5.13-rc7 (diff)
download: linux-dev-f45fbbb6d5cff29ddfc708676ec1c2496eed3a07.tar.xz
linux-dev-f45fbbb6d5cff29ddfc708676ec1c2496eed3a07.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index b100c04a0e43..3d6d49420db8 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
 	int length = (th->doff * 4) - sizeof(*th);
 	u8 buf[40], *ptr;
 
+	if (unlikely(length < 0))
+		return false;
+
 	ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
 	if (ptr == NULL)
 		return false;
@@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
 			length--;
 			continue;
 		default:
+			if (length < 2)
+				return true;
 			opsize = *ptr++;
 			if (opsize < 2)
 				return true;
author	Dave Airlie <airlied@redhat.com>	2021-06-23 10:07:48 +1000
committer	Dave Airlie <airlied@redhat.com>	2021-06-23 10:07:48 +1000
commit	f45fbbb6d5cff29ddfc708676ec1c2496eed3a07 (patch)
tree	5496fee9f6b10da368aa49b03612061156e42d2f /net/netfilter/nf_synproxy_core.c
parent	Merge tag 'amd-drm-next-5.14-2021-06-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-next (diff)
parent	Linux 5.13-rc7 (diff)
download	linux-dev-f45fbbb6d5cff29ddfc708676ec1c2496eed3a07.tar.xz linux-dev-f45fbbb6d5cff29ddfc708676ec1c2496eed3a07.zip