diff options
| author | Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> | 2017-08-24 10:31:23 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-08-25 00:54:34 -0400 |
| commit | 60d1d93664a0bb3d5af722ed38c57ee165a45bf7 (patch) | |
| tree | 0e5ebe511f6f2e52e852c90dedcc24461515cfee /net/tipc | |
| parent | 27163138b4d80e36f2006273d66b6c122d241f30 (diff) | |
tipc: reassign pointers after skb reallocation / linearization
In tipc_msg_reverse(), we assign skb attributes to local pointers
in stack at startup. This is followed by skb_linearize() and for
cloned buffers we perform skb relocation using pskb_expand_head().
Both these methods may update the skb attributes and thus making
the pointers incorrect.
In this commit, we fix this error by ensuring that the pointers
are re-assigned after any of these skb operations.
Fixes: 29042e19f2c60 ("tipc: let function tipc_msg_reverse() expand header
when needed")
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/msg.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/tipc/msg.c b/net/tipc/msg.c index dcd90e6fa7c3..6ef379f004ac 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c | |||
| @@ -479,13 +479,14 @@ bool tipc_msg_make_bundle(struct sk_buff **skb, struct tipc_msg *msg, | |||
| 479 | bool tipc_msg_reverse(u32 own_node, struct sk_buff **skb, int err) | 479 | bool tipc_msg_reverse(u32 own_node, struct sk_buff **skb, int err) |
| 480 | { | 480 | { |
| 481 | struct sk_buff *_skb = *skb; | 481 | struct sk_buff *_skb = *skb; |
| 482 | struct tipc_msg *hdr = buf_msg(_skb); | 482 | struct tipc_msg *hdr; |
| 483 | struct tipc_msg ohdr; | 483 | struct tipc_msg ohdr; |
| 484 | int dlen = min_t(uint, msg_data_sz(hdr), MAX_FORWARD_SIZE); | 484 | int dlen; |
| 485 | 485 | ||
| 486 | if (skb_linearize(_skb)) | 486 | if (skb_linearize(_skb)) |
| 487 | goto exit; | 487 | goto exit; |
| 488 | hdr = buf_msg(_skb); | 488 | hdr = buf_msg(_skb); |
| 489 | dlen = min_t(uint, msg_data_sz(hdr), MAX_FORWARD_SIZE); | ||
| 489 | if (msg_dest_droppable(hdr)) | 490 | if (msg_dest_droppable(hdr)) |
| 490 | goto exit; | 491 | goto exit; |
| 491 | if (msg_errcode(hdr)) | 492 | if (msg_errcode(hdr)) |
| @@ -511,6 +512,8 @@ bool tipc_msg_reverse(u32 own_node, struct sk_buff **skb, int err) | |||
| 511 | pskb_expand_head(_skb, BUF_HEADROOM, BUF_TAILROOM, GFP_ATOMIC)) | 512 | pskb_expand_head(_skb, BUF_HEADROOM, BUF_TAILROOM, GFP_ATOMIC)) |
| 512 | goto exit; | 513 | goto exit; |
| 513 | 514 | ||
| 515 | /* reassign after skb header modifications */ | ||
| 516 | hdr = buf_msg(_skb); | ||
| 514 | /* Now reverse the concerned fields */ | 517 | /* Now reverse the concerned fields */ |
| 515 | msg_set_errcode(hdr, err); | 518 | msg_set_errcode(hdr, err); |
| 516 | msg_set_non_seq(hdr, 0); | 519 | msg_set_non_seq(hdr, 0); |