[NETFILTER]: Handle nonlinear skbs in ip_queue/ip6_queue

Signed-off-by: Patrick McHardy <kaber@trash.net>

2 files changed, 8 insertions, 2 deletions

diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 26dca38f692a..7c3c5d1ed43f 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -257,7 +257,8 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp)
 	}
 	
 	if (data_len)
-		memcpy(pmsg->payload, entry->skb->data, data_len);
+		if (skb_copy_bits(entry->skb, 0, pmsg->payload, data_len))
+			BUG();
 		
 	nlh->nlmsg_len = skb->tail - old_tail;
 	return skb;
@@ -362,6 +363,8 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
 		}
 		skb_put(e->skb, diff);
 	}
+	if (!skb_ip_make_writable(&e->skb, v->data_len))
+		return -ENOMEM;
 	memcpy(e->skb->data, v->payload, v->data_len);
 	e->skb->nfcache |= NFC_ALTERED;
 
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 75f9ac7b891e..cf5021816f91 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -262,7 +262,8 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp)
 	}
 	
 	if (data_len)
-		memcpy(pmsg->payload, entry->skb->data, data_len);
+		if (skb_copy_bits(entry->skb, 0, pmsg->payload, data_len))
+			BUG();
 		
 	nlh->nlmsg_len = skb->tail - old_tail;
 	return skb;
@@ -366,6 +367,8 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
 		}
 		skb_put(e->skb, diff);
 	}
+	if (!skb_ip_make_writable(&e->skb, v->data_len))
+		return -ENOMEM;
 	memcpy(e->skb->data, v->payload, v->data_len);
 	e->skb->nfcache |= NFC_ALTERED;