diff options
author | Allan Stephens <allan.stephens@windriver.com> | 2006-06-29 15:32:46 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-06-29 20:08:10 -0400 |
commit | e49060c7cab6ca856d048e1e10d71c0e6fedf376 (patch) | |
tree | 20b3ebd30b8cc645684c369e42c968276411e7d2 | |
parent | caf430f37119af5faac9252ec4e18cb1c55dde26 (diff) |
[TIPC]: Fixed skb_under_panic caused by tipc_link_bundle_buf
Now determines tailroom of bundle buffer by directly inspection of buffer.
Previously, buffer was assumed to have a max capacity equal to the link MTU,
but the addition of link MTU negotiation means that the link MTU can increase
after the bundle buffer is allocated.
Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Per Liden <per.liden@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/tipc/link.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c index d64658053746..c6831c75cfa4 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c | |||
@@ -2,7 +2,7 @@ | |||
2 | * net/tipc/link.c: TIPC link code | 2 | * net/tipc/link.c: TIPC link code |
3 | * | 3 | * |
4 | * Copyright (c) 1996-2006, Ericsson AB | 4 | * Copyright (c) 1996-2006, Ericsson AB |
5 | * Copyright (c) 2004-2005, Wind River Systems | 5 | * Copyright (c) 2004-2006, Wind River Systems |
6 | * All rights reserved. | 6 | * All rights reserved. |
7 | * | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
@@ -988,17 +988,18 @@ static int link_bundle_buf(struct link *l_ptr, | |||
988 | struct tipc_msg *bundler_msg = buf_msg(bundler); | 988 | struct tipc_msg *bundler_msg = buf_msg(bundler); |
989 | struct tipc_msg *msg = buf_msg(buf); | 989 | struct tipc_msg *msg = buf_msg(buf); |
990 | u32 size = msg_size(msg); | 990 | u32 size = msg_size(msg); |
991 | u32 to_pos = align(msg_size(bundler_msg)); | 991 | u32 bundle_size = msg_size(bundler_msg); |
992 | u32 rest = link_max_pkt(l_ptr) - to_pos; | 992 | u32 to_pos = align(bundle_size); |
993 | u32 pad = to_pos - bundle_size; | ||
993 | 994 | ||
994 | if (msg_user(bundler_msg) != MSG_BUNDLER) | 995 | if (msg_user(bundler_msg) != MSG_BUNDLER) |
995 | return 0; | 996 | return 0; |
996 | if (msg_type(bundler_msg) != OPEN_MSG) | 997 | if (msg_type(bundler_msg) != OPEN_MSG) |
997 | return 0; | 998 | return 0; |
998 | if (rest < align(size)) | 999 | if (skb_tailroom(bundler) < (pad + size)) |
999 | return 0; | 1000 | return 0; |
1000 | 1001 | ||
1001 | skb_put(bundler, (to_pos - msg_size(bundler_msg)) + size); | 1002 | skb_put(bundler, pad + size); |
1002 | memcpy(bundler->data + to_pos, buf->data, size); | 1003 | memcpy(bundler->data + to_pos, buf->data, size); |
1003 | msg_set_size(bundler_msg, to_pos + size); | 1004 | msg_set_size(bundler_msg, to_pos + size); |
1004 | msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1); | 1005 | msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1); |