From 3b2b6e7c1eb6a8d24c057e7f032e5cd4fea191fe Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 25 Jun 2017 16:24:23 +0200
Subject: global: cleanup IP header checking

This way is more correct and ensures we're within the skb head.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 src/ratelimiter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/ratelimiter.c')

diff --git a/src/ratelimiter.c b/src/ratelimiter.c
index 2d2e758..b3fdd4c 100644
--- a/src/ratelimiter.c
+++ b/src/ratelimiter.c
@@ -82,12 +82,12 @@ bool ratelimiter_allow(struct sk_buff *skb, struct net *net)
 	struct hlist_head *bucket;
 	struct { u32 net; __be32 ip[3]; } data = { .net = (unsigned long)net & 0xffffffff };
 
-	if (skb->len >= sizeof(struct iphdr) && ip_hdr(skb)->version == 4) {
+	if (skb->protocol == htons(ETH_P_IP)) {
 		data.ip[0] = ip_hdr(skb)->saddr;
 		bucket = &table_v4[hsiphash(&data, sizeof(u32) * 2, &key) & (table_size - 1)];
 	}
 #if IS_ENABLED(CONFIG_IPV6)
-	else if (skb->len >= sizeof(struct ipv6hdr) && ip_hdr(skb)->version == 6) {
+	else if (skb->protocol == htons(ETH_P_IPV6)) {
 		memcpy(data.ip, &ipv6_hdr(skb)->saddr, sizeof(u32) * 3); /* Only 96 bits */
 		bucket = &table_v6[hsiphash(&data, sizeof(u32) * 4, &key) & (table_size - 1)];
 	}
-- 
cgit v1.2.3