It is legitimate for callers of skb_header_pointer to pass a negative
offset, but the resulting pointer should not go outside the valid
range of data in the skb.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

--- a/include/linux/skbuff.h	2010-08-01 09:23:01.635121262 -0700
+++ b/include/linux/skbuff.h	2010-08-01 09:25:27.453901530 -0700
@@ -1853,6 +1853,9 @@ static inline void *skb_header_pointer(c
 {
 	int hlen = skb_headlen(skb);
 
+	if (hlen + offset < 0)
+		return NULL;
+
 	if (hlen - offset >= len)
 		return skb->data + offset;
 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html