ipv4: fix a potential use after free in gre_offload.c

pskb_may_pull() may change skb->data and make greh pointer oboslete;
so need to reassign greh;
but since first calling pskb_may_pull already ensured that skb->data
has enough space for greh, so move the reference of greh before second
calling pskb_may_pull(), to avoid reassign greh.

Fixes: 7a7ffbabf9("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC")
Cc: Wei-Chun Chao <weichunc@plumgrid.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index a777295..ccda096 100644 (file)
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -55,13 +55,13 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
        if (csum)
                skb->encap_hdr_csum = 1;
 
-       if (unlikely(!pskb_may_pull(skb, ghl)))
-               goto out;
-
        /* setup inner skb. */
        skb->protocol = greh->protocol;
        skb->encapsulation = 0;
 
+       if (unlikely(!pskb_may_pull(skb, ghl)))
+               goto out;
+
        __skb_pull(skb, ghl);
        skb_reset_mac_header(skb);
        skb_set_network_header(skb, skb_inner_network_offset(skb));