diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2005-09-14 23:50:35 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-09-14 23:50:35 -0400 |
commit | 3c05d92ed49f644d1f5a960fa48637d63b946016 (patch) | |
tree | 4882f2b114f7bb497e9844e21fe8bff4f8160def /net/ipv4/tcp_output.c | |
parent | 1619cca2921f6927f4240e03f413d4165c7002fc (diff) |
[TCP]: Compute in_sacked properly when we split up a TSO frame.
The problem is that the SACK fragmenting code may incorrectly call
tcp_fragment() with a length larger than the skb->len. This happens
when the skb on the transmit queue completely falls to the LHS of the
SACK.
And add a BUG() check to tcp_fragment() so we can spot this kind of
error more quickly in the future.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_output.c')
-rw-r--r-- | net/ipv4/tcp_output.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index c10e4435e3b1..b018e31b6530 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c | |||
@@ -435,6 +435,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss | |||
435 | int nsize, old_factor; | 435 | int nsize, old_factor; |
436 | u16 flags; | 436 | u16 flags; |
437 | 437 | ||
438 | BUG_ON(len >= skb->len); | ||
439 | |||
438 | nsize = skb_headlen(skb) - len; | 440 | nsize = skb_headlen(skb) - len; |
439 | if (nsize < 0) | 441 | if (nsize < 0) |
440 | nsize = 0; | 442 | nsize = 0; |