bridge: fix igmpv3 / mldv2 report parsing

With the newly introduced helper functions the skb pulling is hidden in
the checksumming function - and undone before returning to the caller.

The IGMPv3 and MLDv2 report parsing functions in the bridge still
assumed that the skb is pointing to the beginning of the IGMP/MLD
message while it is now kept at the beginning of the IPv4/6 header,
breaking the message parsing and creating packet loss.

Fixing this by taking the offset between IP and IGMP/MLD header into
account, too.

Fixes: 9afd85c9e455 ("net: Export IGMP/MLD message validation code")
Reported-by: Tobias Powalowski <[email protected]>
Tested-by: Tobias Powalowski <[email protected]>
Signed-off-by: Linus Lüssing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 66efdc21f548524a19f3abc3ea5268b245f88dd2..480b3de1a0e3e158a0968355902a8da4764b5d4f 100644 (file)
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1006,7 +1006,7 @@ static int br_ip4_multicast_igmp3_report(struct net_bridge *br,
 
        ih = igmpv3_report_hdr(skb);
        num = ntohs(ih->ngrec);
-       len = sizeof(*ih);
+       len = skb_transport_offset(skb) + sizeof(*ih);
 
        for (i = 0; i < num; i++) {
                len += sizeof(*grec);
@@ -1067,7 +1067,7 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br,
 
        icmp6h = icmp6_hdr(skb);
        num = ntohs(icmp6h->icmp6_dataun.un_data16[1]);
-       len = sizeof(*icmp6h);
+       len = skb_transport_offset(skb) + sizeof(*icmp6h);
 
        for (i = 0; i < num; i++) {
                __be16 *nsrcs, _nsrcs;