global: cleanup IP header checking

This way is more correct and ensures we're within the skb head.
author: Jason A. Donenfeld <Jason@zx2c4.com> 2017-06-25 16:24:23 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2017-06-26 12:35:06 +0200
commit: 2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch)
tree: 40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/ratelimiter.c
parent: device: remove icmp conntrack hacks (diff)
download: wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz
wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/ratelimiter.c b/src/ratelimiter.c
index 2d2e758..b3fdd4c 100644
--- a/src/ratelimiter.c
+++ b/src/ratelimiter.c
@@ -82,12 +82,12 @@ bool ratelimiter_allow(struct sk_buff *skb, struct net *net)
 	struct hlist_head *bucket;
 	struct { u32 net; __be32 ip[3]; } data = { .net = (unsigned long)net & 0xffffffff };
 
-	if (skb->len >= sizeof(struct iphdr) && ip_hdr(skb)->version == 4) {
+	if (skb->protocol == htons(ETH_P_IP)) {
 		data.ip[0] = ip_hdr(skb)->saddr;
 		bucket = &table_v4[hsiphash(&data, sizeof(u32) * 2, &key) & (table_size - 1)];
 	}
 #if IS_ENABLED(CONFIG_IPV6)
-	else if (skb->len >= sizeof(struct ipv6hdr) && ip_hdr(skb)->version == 6) {
+	else if (skb->protocol == htons(ETH_P_IPV6)) {
 		memcpy(data.ip, &ipv6_hdr(skb)->saddr, sizeof(u32) * 3); /* Only 96 bits */
 		bucket = &table_v6[hsiphash(&data, sizeof(u32) * 4, &key) & (table_size - 1)];
 	}
author	Jason A. Donenfeld <Jason@zx2c4.com>	2017-06-25 16:24:23 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2017-06-26 12:35:06 +0200
commit	2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch)
tree	40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/ratelimiter.c
parent	device: remove icmp conntrack hacks (diff)
download	wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip