aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Stephens <allan.stephens@windriver.com>2006-06-29 15:32:46 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-29 20:08:10 -0400
commite49060c7cab6ca856d048e1e10d71c0e6fedf376 (patch)
tree20b3ebd30b8cc645684c369e42c968276411e7d2
parentcaf430f37119af5faac9252ec4e18cb1c55dde26 (diff)
[TIPC]: Fixed skb_under_panic caused by tipc_link_bundle_buf
Now determines tailroom of bundle buffer by directly inspection of buffer. Previously, buffer was assumed to have a max capacity equal to the link MTU, but the addition of link MTU negotiation means that the link MTU can increase after the bundle buffer is allocated. Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Per Liden <per.liden@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/link.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index d64658053746..c6831c75cfa4 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2,7 +2,7 @@
2 * net/tipc/link.c: TIPC link code 2 * net/tipc/link.c: TIPC link code
3 * 3 *
4 * Copyright (c) 1996-2006, Ericsson AB 4 * Copyright (c) 1996-2006, Ericsson AB
5 * Copyright (c) 2004-2005, Wind River Systems 5 * Copyright (c) 2004-2006, Wind River Systems
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
@@ -988,17 +988,18 @@ static int link_bundle_buf(struct link *l_ptr,
988 struct tipc_msg *bundler_msg = buf_msg(bundler); 988 struct tipc_msg *bundler_msg = buf_msg(bundler);
989 struct tipc_msg *msg = buf_msg(buf); 989 struct tipc_msg *msg = buf_msg(buf);
990 u32 size = msg_size(msg); 990 u32 size = msg_size(msg);
991 u32 to_pos = align(msg_size(bundler_msg)); 991 u32 bundle_size = msg_size(bundler_msg);
992 u32 rest = link_max_pkt(l_ptr) - to_pos; 992 u32 to_pos = align(bundle_size);
993 u32 pad = to_pos - bundle_size;
993 994
994 if (msg_user(bundler_msg) != MSG_BUNDLER) 995 if (msg_user(bundler_msg) != MSG_BUNDLER)
995 return 0; 996 return 0;
996 if (msg_type(bundler_msg) != OPEN_MSG) 997 if (msg_type(bundler_msg) != OPEN_MSG)
997 return 0; 998 return 0;
998 if (rest < align(size)) 999 if (skb_tailroom(bundler) < (pad + size))
999 return 0; 1000 return 0;
1000 1001
1001 skb_put(bundler, (to_pos - msg_size(bundler_msg)) + size); 1002 skb_put(bundler, pad + size);
1002 memcpy(bundler->data + to_pos, buf->data, size); 1003 memcpy(bundler->data + to_pos, buf->data, size);
1003 msg_set_size(bundler_msg, to_pos + size); 1004 msg_set_size(bundler_msg, to_pos + size);
1004 msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1); 1005 msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1);