commit e49060c7cab6ca856d048e1e10d71c0e6fedf376 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[TIPC]: Fixed skb_under_panic caused by tipc_link_bundle_buf

Now determines tailroom of bundle buffer by directly inspection of buffer.
Previously, buffer was assumed to have a max capacity equal to the link MTU,
but the addition of link MTU negotiation means that the link MTU can increase
after the bundle buffer is allocated.

Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Per Liden <per.liden@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Allan Stephens and committed by David S. Miller 19 years ago e49060c7 caf430f3

+6 -5

1 changed file

expand all

unified split

net

tipc

link.c

+6 -5

net/tipc/link.c

··· 2 * net/tipc/link.c: TIPC link code 3 * 4 * Copyright (c) 1996-2006, Ericsson AB 5 - * Copyright (c) 2004-2005, Wind River Systems 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without ··· 988 struct tipc_msg *bundler_msg = buf_msg(bundler); 989 struct tipc_msg *msg = buf_msg(buf); 990 u32 size = msg_size(msg); 991 - u32 to_pos = align(msg_size(bundler_msg)); 992 - u32 rest = link_max_pkt(l_ptr) - to_pos; 993 994 if (msg_user(bundler_msg) != MSG_BUNDLER) 995 return 0; 996 if (msg_type(bundler_msg) != OPEN_MSG) 997 return 0; 998 - if (rest < align(size)) 999 return 0; 1000 1001 - skb_put(bundler, (to_pos - msg_size(bundler_msg)) + size); 1002 memcpy(bundler->data + to_pos, buf->data, size); 1003 msg_set_size(bundler_msg, to_pos + size); 1004 msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1);

··· 2 * net/tipc/link.c: TIPC link code 3 * 4 * Copyright (c) 1996-2006, Ericsson AB 5 + * Copyright (c) 2004-2006, Wind River Systems 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without ··· 988 struct tipc_msg *bundler_msg = buf_msg(bundler); 989 struct tipc_msg *msg = buf_msg(buf); 990 u32 size = msg_size(msg); 991 + u32 bundle_size = msg_size(bundler_msg); 992 + u32 to_pos = align(bundle_size); 993 + u32 pad = to_pos - bundle_size; 994 995 if (msg_user(bundler_msg) != MSG_BUNDLER) 996 return 0; 997 if (msg_type(bundler_msg) != OPEN_MSG) 998 return 0; 999 + if (skb_tailroom(bundler) < (pad + size)) 1000 return 0; 1001 1002 + skb_put(bundler, pad + size); 1003 memcpy(bundler->data + to_pos, buf->data, size); 1004 msg_set_size(bundler_msg, to_pos + size); 1005 msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1);