tcp: take care of misalignments

We discovered that TCP stack could retransmit misaligned skbs if a malicious peer acknowledged sub MSS frame. This currently can happen only if output interface is non SG enabled : If SG is enabled, tcp builds headless skbs (all payload is included in fragments), so the tcp trimming process only removes parts of skb fragments, header stay aligned. Some arches cant handle misalignments, so force a head reallocation and shrink headroom to MAX_TCP_HEADER. Dont care about misaligments on x86 and PPC (or other arches setting NET_IP_ALIGN to 0) This patch introduces __pskb_copy() which can specify the headroom of new head, and pskb_copy() becomes a wrapper on top of __pskb_copy() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <eric.dumazet@gmail.com> 2011-12-03 16:39:53 -0500
committer: David S. Miller <davem@davemloft.net> 2011-12-04 13:20:39 -0500
commit: 117632e64d2a5f464e491fe221d7169a3814a77b (patch)
tree: 88f3a036305da54a62835d900553dda9bc846a8f
parent: c2e4e25afcc8ae1835a6100089f1f9fd3a362430 (diff)
3 files changed, 24 insertions, 8 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index cec0657d0d32..12e6fed73f8e 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -568,8 +568,9 @@ extern struct sk_buff *skb_clone(struct sk_buff *skb,
                                 gfp_t priority);
 extern struct sk_buff *skb_copy(const struct sk_buff *skb,
                                gfp_t priority);
-extern struct sk_buff *pskb_copy(struct sk_buff *skb,
+extern struct sk_buff *__pskb_copy(struct sk_buff *skb,
-                                 gfp_t gfp_mask);
+                                 int headroom, gfp_t gfp_mask);
 extern int             pskb_expand_head(struct sk_buff *skb,
                                        int nhead, int ntail,
                                        gfp_t gfp_mask);
@@ -1799,6 +1800,12 @@ static inline dma_addr_t skb_frag_dma_map(struct device *dev,
                            frag->page_offset + offset, size, dir);
 }
+static inline struct sk_buff *pskb_copy(struct sk_buff *skb,
+                                        gfp_t gfp_mask)
+{
+        return __pskb_copy(skb, skb_headroom(skb), gfp_mask);
+}
 /**
 *      skb_clone_writable - is the header of a clone writable
 *      @skb: buffer to check
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 678ae4e783aa..fd3646209b65 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -840,8 +840,9 @@ struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
 EXPORT_SYMBOL(skb_copy);
 /**
- *      pskb_copy       -       create copy of an sk_buff with private head.
+ *      __pskb_copy     -       create copy of an sk_buff with private head.
 *      @skb: buffer to copy
+ *      @headroom: headroom of new skb
 *      @gfp_mask: allocation priority
 *
 *      Make a copy of both an &sk_buff and part of its data, located
@@ -852,16 +853,16 @@ EXPORT_SYMBOL(skb_copy);
 *      The returned buffer has a reference count of 1.
 */
-struct sk_buff *pskb_copy(struct sk_buff *skb, gfp_t gfp_mask)
+struct sk_buff *__pskb_copy(struct sk_buff *skb, int headroom, gfp_t gfp_mask)
 {
-        unsigned int size = skb_end_pointer(skb) - skb->head;
+        unsigned int size = skb_headlen(skb) + headroom;
        struct sk_buff *n = alloc_skb(size, gfp_mask);
        if (!n)
                goto out;
        /* Set the data pointer */
-        skb_reserve(n, skb_headroom(skb));
+        skb_reserve(n, headroom);
        /* Set the tail pointer and length */
        skb_put(n, skb_headlen(skb));
        /* Copy the bytes */
@@ -897,7 +898,7 @@ struct sk_buff *pskb_copy(struct sk_buff *skb, gfp_t gfp_mask)
 out:
        return n;
 }
-EXPORT_SYMBOL(pskb_copy);
+EXPORT_SYMBOL(__pskb_copy);
 /**
 *      pskb_expand_head - reallocate header of &sk_buff
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 58f69acd3d22..50788d67bdb7 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2147,7 +2147,15 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
         */
        TCP_SKB_CB(skb)->when = tcp_time_stamp;
-        err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
+        /* make sure skb->data is aligned on arches that require it */
+        if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
+                struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
+                                                   GFP_ATOMIC);
+                err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
+                             -ENOBUFS;
+        } else {
+                err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
+        }
        if (err == 0) {
                /* Update global TCP statistics. */
author	Eric Dumazet <eric.dumazet@gmail.com>	2011-12-03 16:39:53 -0500
committer	David S. Miller <davem@davemloft.net>	2011-12-04 13:20:39 -0500
commit	117632e64d2a5f464e491fe221d7169a3814a77b (patch)
tree	88f3a036305da54a62835d900553dda9bc846a8f
parent	c2e4e25afcc8ae1835a6100089f1f9fd3a362430 (diff)