1 files changed, 52 insertions, 15 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4b15938bef4d..9fb49c3b518a 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1105,6 +1105,18 @@ static inline int ip6_ufo_append_data(struct sock *sk,
        return err;
 }
+static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
+                                               gfp_t gfp)
+{
+        return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
+}
+static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
+                                                gfp_t gfp)
+{
+        return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
+}
 int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        int offset, int len, int odd, struct sk_buff *skb),
        void *from, int length, int transhdrlen,
@@ -1130,17 +1142,37 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                 * setup for corking
                 */
                if (opt) {
-                        if (np->cork.opt == NULL) {
+                        if (WARN_ON(np->cork.opt))
-                                np->cork.opt = kmalloc(opt->tot_len,
-                                                       sk->sk_allocation);
-                                if (unlikely(np->cork.opt == NULL))
-                                        return -ENOBUFS;
-                        } else if (np->cork.opt->tot_len < opt->tot_len) {
-                                printk(KERN_DEBUG "ip6_append_data: invalid option length\n");
                                return -EINVAL;
-                        }
-                        memcpy(np->cork.opt, opt, opt->tot_len);
+                        np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
-                        inet->cork.flags |= IPCORK_OPT;
+                        if (unlikely(np->cork.opt == NULL))
+                                return -ENOBUFS;
+                        np->cork.opt->tot_len = opt->tot_len;
+                        np->cork.opt->opt_flen = opt->opt_flen;
+                        np->cork.opt->opt_nflen = opt->opt_nflen;
+                        np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
+                                                            sk->sk_allocation);
+                        if (opt->dst0opt && !np->cork.opt->dst0opt)
+                                return -ENOBUFS;
+                        np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
+                                                            sk->sk_allocation);
+                        if (opt->dst1opt && !np->cork.opt->dst1opt)
+                                return -ENOBUFS;
+                        np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
+                                                           sk->sk_allocation);
+                        if (opt->hopopt && !np->cork.opt->hopopt)
+                                return -ENOBUFS;
+                        np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
+                                                            sk->sk_allocation);
+                        if (opt->srcrt && !np->cork.opt->srcrt)
+                                return -ENOBUFS;
                        /* need source address above miyazawa*/
                }
                dst_hold(&rt->u.dst);
@@ -1167,8 +1199,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        } else {
                rt = (struct rt6_info *)inet->cork.dst;
                fl = &inet->cork.fl;
-                if (inet->cork.flags & IPCORK_OPT)
+                opt = np->cork.opt;
-                        opt = np->cork.opt;
                transhdrlen = 0;
                exthdrlen = 0;
                mtu = inet->cork.fragsize;
@@ -1407,9 +1438,15 @@ error:
 static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
 {
-        inet->cork.flags &= ~IPCORK_OPT;
+        if (np->cork.opt) {
-        kfree(np->cork.opt);
+                kfree(np->cork.opt->dst0opt);
-        np->cork.opt = NULL;
+                kfree(np->cork.opt->dst1opt);
+                kfree(np->cork.opt->hopopt);
+                kfree(np->cork.opt->srcrt);
+                kfree(np->cork.opt);
+                np->cork.opt = NULL;
+        }
        if (inet->cork.dst) {
                dst_release(inet->cork.dst);
                inet->cork.dst = NULL;

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4b15938bef4d..9fb49c3b518a 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c
@@ -1105,6 +1105,18 @@ static inline int ip6_ufo_append_data(struct sock *sk,
1105	return err;	1105	return err;
1106	}	1106	}
1107		1107
		1108	static inline struct ipv6_opt_hdr ip6_opt_dup(struct ipv6_opt_hdr src,
		1109	gfp_t gfp)
		1110	{
		1111	return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
		1112	}
		1113
		1114	static inline struct ipv6_rt_hdr ip6_rthdr_dup(struct ipv6_rt_hdr src,
		1115	gfp_t gfp)
		1116	{
		1117	return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
		1118	}
		1119
1108	int ip6_append_data(struct sock sk, int getfrag(void from, char *to,	1120	int ip6_append_data(struct sock sk, int getfrag(void from, char *to,
1109	int offset, int len, int odd, struct sk_buff *skb),	1121	int offset, int len, int odd, struct sk_buff *skb),
1110	void *from, int length, int transhdrlen,	1122	void *from, int length, int transhdrlen,
@@ -1130,17 +1142,37 @@ int ip6_append_data(struct sock sk, int getfrag(void from, char *to,
1130	* setup for corking	1142	* setup for corking
1131	*/	1143	*/
1132	if (opt) {	1144	if (opt) {
1133	if (np->cork.opt == NULL) {	1145	if (WARN_ON(np->cork.opt))
1134	np->cork.opt = kmalloc(opt->tot_len,
1135	sk->sk_allocation);
1136	if (unlikely(np->cork.opt == NULL))
1137	return -ENOBUFS;
1138	} else if (np->cork.opt->tot_len < opt->tot_len) {
1139	printk(KERN_DEBUG "ip6_append_data: invalid option length\n");
1140	return -EINVAL;	1146	return -EINVAL;
1141	}	1147
1142	memcpy(np->cork.opt, opt, opt->tot_len);	1148	np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
1143	inet->cork.flags \|= IPCORK_OPT;	1149	if (unlikely(np->cork.opt == NULL))
		1150	return -ENOBUFS;
		1151
		1152	np->cork.opt->tot_len = opt->tot_len;
		1153	np->cork.opt->opt_flen = opt->opt_flen;
		1154	np->cork.opt->opt_nflen = opt->opt_nflen;
		1155
		1156	np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
		1157	sk->sk_allocation);
		1158	if (opt->dst0opt && !np->cork.opt->dst0opt)
		1159	return -ENOBUFS;
		1160
		1161	np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
		1162	sk->sk_allocation);
		1163	if (opt->dst1opt && !np->cork.opt->dst1opt)
		1164	return -ENOBUFS;
		1165
		1166	np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
		1167	sk->sk_allocation);
		1168	if (opt->hopopt && !np->cork.opt->hopopt)
		1169	return -ENOBUFS;
		1170
		1171	np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
		1172	sk->sk_allocation);
		1173	if (opt->srcrt && !np->cork.opt->srcrt)
		1174	return -ENOBUFS;
		1175
1144	/* need source address above miyazawa*/	1176	/* need source address above miyazawa*/
1145	}	1177	}
1146	dst_hold(&rt->u.dst);	1178	dst_hold(&rt->u.dst);
@@ -1167,8 +1199,7 @@ int ip6_append_data(struct sock sk, int getfrag(void from, char *to,
1167	} else {	1199	} else {
1168	rt = (struct rt6_info *)inet->cork.dst;	1200	rt = (struct rt6_info *)inet->cork.dst;
1169	fl = &inet->cork.fl;	1201	fl = &inet->cork.fl;
1170	if (inet->cork.flags & IPCORK_OPT)	1202	opt = np->cork.opt;
1171	opt = np->cork.opt;
1172	transhdrlen = 0;	1203	transhdrlen = 0;
1173	exthdrlen = 0;	1204	exthdrlen = 0;
1174	mtu = inet->cork.fragsize;	1205	mtu = inet->cork.fragsize;
@@ -1407,9 +1438,15 @@ error:
1407		1438
1408	static void ip6_cork_release(struct inet_sock inet, struct ipv6_pinfo np)	1439	static void ip6_cork_release(struct inet_sock inet, struct ipv6_pinfo np)
1409	{	1440	{
1410	inet->cork.flags &= ~IPCORK_OPT;	1441	if (np->cork.opt) {
1411	kfree(np->cork.opt);	1442	kfree(np->cork.opt->dst0opt);
1412	np->cork.opt = NULL;	1443	kfree(np->cork.opt->dst1opt);
		1444	kfree(np->cork.opt->hopopt);
		1445	kfree(np->cork.opt->srcrt);
		1446	kfree(np->cork.opt);
		1447	np->cork.opt = NULL;
		1448	}
		1449
1413	if (inet->cork.dst) {	1450	if (inet->cork.dst) {
1414	dst_release(inet->cork.dst);	1451	dst_release(inet->cork.dst);
1415	inet->cork.dst = NULL;	1452	inet->cork.dst = NULL;