diff options
| author | Jorge Boncompte [DTI2] <jorge@dti2.net> | 2009-03-19 02:26:11 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-03-19 02:26:11 -0400 |
| commit | 2bad35b7c9588eb5e65c03bcae54e7eb6b1a6504 (patch) | |
| tree | 1a0dff781b3d756470845b58cade9c9b074fadb4 | |
| parent | e4a389a9b5c892446b5de2038bdc0cca8703c615 (diff) | |
netns: oops in ip[6]_frag_reasm incrementing stats
dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets.
Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter
conntrack reassembles them on the OUTPUT path you hit this code path.
You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD"
With help from Jarek Poplawski.
Signed-off-by: Jorge Boncompte [DTI2] <jorge@dti2.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/ip_fragment.c | 3 | ||||
| -rw-r--r-- | net/ipv6/reassembly.c | 7 |
2 files changed, 5 insertions, 5 deletions
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 6659ac000eeb..7985346653bd 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c | |||
| @@ -463,6 +463,7 @@ err: | |||
| 463 | static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev, | 463 | static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev, |
| 464 | struct net_device *dev) | 464 | struct net_device *dev) |
| 465 | { | 465 | { |
| 466 | struct net *net = container_of(qp->q.net, struct net, ipv4.frags); | ||
| 466 | struct iphdr *iph; | 467 | struct iphdr *iph; |
| 467 | struct sk_buff *fp, *head = qp->q.fragments; | 468 | struct sk_buff *fp, *head = qp->q.fragments; |
| 468 | int len; | 469 | int len; |
| @@ -548,7 +549,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev, | |||
| 548 | iph = ip_hdr(head); | 549 | iph = ip_hdr(head); |
| 549 | iph->frag_off = 0; | 550 | iph->frag_off = 0; |
| 550 | iph->tot_len = htons(len); | 551 | iph->tot_len = htons(len); |
| 551 | IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMOKS); | 552 | IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS); |
| 552 | qp->q.fragments = NULL; | 553 | qp->q.fragments = NULL; |
| 553 | return 0; | 554 | return 0; |
| 554 | 555 | ||
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c index 3c575118fca5..e9ac7a12f595 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c | |||
| @@ -452,6 +452,7 @@ err: | |||
| 452 | static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, | 452 | static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, |
| 453 | struct net_device *dev) | 453 | struct net_device *dev) |
| 454 | { | 454 | { |
| 455 | struct net *net = container_of(fq->q.net, struct net, ipv6.frags); | ||
| 455 | struct sk_buff *fp, *head = fq->q.fragments; | 456 | struct sk_buff *fp, *head = fq->q.fragments; |
| 456 | int payload_len; | 457 | int payload_len; |
| 457 | unsigned int nhoff; | 458 | unsigned int nhoff; |
| @@ -551,8 +552,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, | |||
| 551 | head->csum); | 552 | head->csum); |
| 552 | 553 | ||
| 553 | rcu_read_lock(); | 554 | rcu_read_lock(); |
| 554 | IP6_INC_STATS_BH(dev_net(dev), | 555 | IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); |
| 555 | __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); | ||
| 556 | rcu_read_unlock(); | 556 | rcu_read_unlock(); |
| 557 | fq->q.fragments = NULL; | 557 | fq->q.fragments = NULL; |
| 558 | return 1; | 558 | return 1; |
| @@ -566,8 +566,7 @@ out_oom: | |||
| 566 | printk(KERN_DEBUG "ip6_frag_reasm: no memory for reassembly\n"); | 566 | printk(KERN_DEBUG "ip6_frag_reasm: no memory for reassembly\n"); |
| 567 | out_fail: | 567 | out_fail: |
| 568 | rcu_read_lock(); | 568 | rcu_read_lock(); |
| 569 | IP6_INC_STATS_BH(dev_net(dev), | 569 | IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); |
| 570 | __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); | ||
| 571 | rcu_read_unlock(); | 570 | rcu_read_unlock(); |
| 572 | return -1; | 571 | return -1; |
| 573 | } | 572 | } |