diff options
author | Patrick McHardy <kaber@trash.net> | 2009-12-01 18:53:57 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-12-01 18:53:57 -0500 |
commit | b2722b1c3a893ec6021508da15b32282ec79f4da (patch) | |
tree | b3f3fbf1d9b2c80bdc2d1a7a7786498fc2b62d64 | |
parent | 7e8f44f8d4fa9bb35e32c161fbcdbd6b9e6400e3 (diff) |
ip_fragment: also adjust skb->truesize for packets not owned by a socket
When a large packet gets reassembled by ip_defrag(), the head skb
accounts for all the fragments in skb->truesize. If this packet is
refragmented again, skb->truesize is not re-adjusted to reflect only
the head size since its not owned by a socket. If the head fragment
then gets recycled and reused for another received fragment, it might
exceed the defragmentation limits due to its large truesize value.
skb_recycle_check() explicitly checks for linear skbs, so any recycled
skb should reflect its true size in skb->truesize. Change ip_fragment()
to also adjust the truesize value of skbs not owned by a socket.
Reported-and-tested-by: Ben Menchaca <ben@bigfootnetworks.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/ip_output.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index f9895180f481..4d50daab0c3e 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
@@ -501,8 +501,8 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) | |||
501 | if (skb->sk) { | 501 | if (skb->sk) { |
502 | frag->sk = skb->sk; | 502 | frag->sk = skb->sk; |
503 | frag->destructor = sock_wfree; | 503 | frag->destructor = sock_wfree; |
504 | truesizes += frag->truesize; | ||
505 | } | 504 | } |
505 | truesizes += frag->truesize; | ||
506 | } | 506 | } |
507 | 507 | ||
508 | /* Everything is OK. Generate! */ | 508 | /* Everything is OK. Generate! */ |