diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-25 16:24:23 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-26 12:35:06 +0200 |
commit | 2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch) | |
tree | 40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/ratelimiter.c | |
parent | device: remove icmp conntrack hacks (diff) | |
download | wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip |
global: cleanup IP header checking
This way is more correct and ensures we're within the skb head.
Diffstat (limited to 'src/ratelimiter.c')
-rw-r--r-- | src/ratelimiter.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/ratelimiter.c b/src/ratelimiter.c index 2d2e758..b3fdd4c 100644 --- a/src/ratelimiter.c +++ b/src/ratelimiter.c @@ -82,12 +82,12 @@ bool ratelimiter_allow(struct sk_buff *skb, struct net *net) struct hlist_head *bucket; struct { u32 net; __be32 ip[3]; } data = { .net = (unsigned long)net & 0xffffffff }; - if (skb->len >= sizeof(struct iphdr) && ip_hdr(skb)->version == 4) { + if (skb->protocol == htons(ETH_P_IP)) { data.ip[0] = ip_hdr(skb)->saddr; bucket = &table_v4[hsiphash(&data, sizeof(u32) * 2, &key) & (table_size - 1)]; } #if IS_ENABLED(CONFIG_IPV6) - else if (skb->len >= sizeof(struct ipv6hdr) && ip_hdr(skb)->version == 6) { + else if (skb->protocol == htons(ETH_P_IPV6)) { memcpy(data.ip, &ipv6_hdr(skb)->saddr, sizeof(u32) * 3); /* Only 96 bits */ bucket = &table_v6[hsiphash(&data, sizeof(u32) * 4, &key) & (table_size - 1)]; } |