aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Stephens <allan.stephens@windriver.com>2006-07-03 22:39:36 -0400
committerDavid S. Miller <davem@davemloft.net>2006-07-03 22:39:36 -0400
commit863fae666acb87b150f4634e6e79476ebe274f43 (patch)
tree59b09c818b986972dc831f43a81ada63f3f824f3
parentbbcf467dab42ea3c85f368df346c82af2fbba665 (diff)
[TIPC] Fixed sk_buff panic caused by tipc_link_bundle_buf (REVISED)
The recent change to direct inspection of bundle buffer tailroom did not account for the possiblity of unrequested tailroom added by skb_alloc(), thereby allowing a bundle to be created that exceeds the current link MTU. An additional check now ensures that bundling works correctly no matter if the bundle buffer is smaller, larger, or equal to the link MTU. Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Per Liden <per.liden@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/core.h5
-rw-r--r--net/tipc/link.c2
2 files changed, 6 insertions, 1 deletions
diff --git a/net/tipc/core.h b/net/tipc/core.h
index 86f54f3512f1..762aac2572be 100644
--- a/net/tipc/core.h
+++ b/net/tipc/core.h
@@ -297,7 +297,10 @@ static inline struct tipc_msg *buf_msg(struct sk_buff *skb)
297 * buf_acquire - creates a TIPC message buffer 297 * buf_acquire - creates a TIPC message buffer
298 * @size: message size (including TIPC header) 298 * @size: message size (including TIPC header)
299 * 299 *
300 * Returns a new buffer. Space is reserved for a data link header. 300 * Returns a new buffer with data pointers set to the specified size.
301 *
302 * NOTE: Headroom is reserved to allow prepending of a data link header.
303 * There may also be unrequested tailroom present at the buffer's end.
301 */ 304 */
302 305
303static inline struct sk_buff *buf_acquire(u32 size) 306static inline struct sk_buff *buf_acquire(u32 size)
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c6831c75cfa4..c10e18a49b96 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -998,6 +998,8 @@ static int link_bundle_buf(struct link *l_ptr,
998 return 0; 998 return 0;
999 if (skb_tailroom(bundler) < (pad + size)) 999 if (skb_tailroom(bundler) < (pad + size))
1000 return 0; 1000 return 0;
1001 if (link_max_pkt(l_ptr) < (to_pos + size))
1002 return 0;
1001 1003
1002 skb_put(bundler, pad + size); 1004 skb_put(bundler, pad + size);
1003 memcpy(bundler->data + to_pos, buf->data, size); 1005 memcpy(bundler->data + to_pos, buf->data, size);