aboutsummaryrefslogtreecommitdiffstats
path: root/net/core
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2006-10-29 18:59:41 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-10-30 18:24:36 -0500
commitc8884edd078748905552d667857259e5358e1232 (patch)
treece639a8d8852b8794e6a992a32d23e29ca343355 /net/core
parent54489c14c058822f7019648b3718bd3820dee802 (diff)
[NET]: Fix segmentation of linear packets
skb_segment fails to segment linear packets correctly because it tries to write all linear parts of the original skb into each segment. This will always panic as each segment only contains enough space for one MSS. This was not detected earlier because linear packets should be rare for GSO. In fact it still remains to be seen what exactly created the linear packets that triggered this bug. Basically the only time this should happen is if someone enables GSO emulation on an interface that does not support SG. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/skbuff.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3c23760c5827..f735455dc5d1 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1946,7 +1946,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
1946 do { 1946 do {
1947 struct sk_buff *nskb; 1947 struct sk_buff *nskb;
1948 skb_frag_t *frag; 1948 skb_frag_t *frag;
1949 int hsize, nsize; 1949 int hsize;
1950 int k; 1950 int k;
1951 int size; 1951 int size;
1952 1952
@@ -1957,11 +1957,10 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
1957 hsize = skb_headlen(skb) - offset; 1957 hsize = skb_headlen(skb) - offset;
1958 if (hsize < 0) 1958 if (hsize < 0)
1959 hsize = 0; 1959 hsize = 0;
1960 nsize = hsize + doffset; 1960 if (hsize > len || !sg)
1961 if (nsize > len + doffset || !sg) 1961 hsize = len;
1962 nsize = len + doffset;
1963 1962
1964 nskb = alloc_skb(nsize + headroom, GFP_ATOMIC); 1963 nskb = alloc_skb(hsize + doffset + headroom, GFP_ATOMIC);
1965 if (unlikely(!nskb)) 1964 if (unlikely(!nskb))
1966 goto err; 1965 goto err;
1967 1966