[TCP]: Compute in_sacked properly when we split up a TSO frame.
authorHerbert Xu <herbert@gondor.apana.org.au>
Thu, 15 Sep 2005 03:50:35 +0000 (20:50 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 15 Sep 2005 03:50:35 +0000 (20:50 -0700)
The problem is that the SACK fragmenting code may incorrectly call
tcp_fragment() with a length larger than the skb->len.  This happens
when the skb on the transmit queue completely falls to the LHS of the
SACK.

And add a BUG() check to tcp_fragment() so we can spot this kind of
error more quickly in the future.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_input.c
net/ipv4/tcp_output.c

index 29222b964951ce4d2d505a3d3d9bed0ca762e025..a7537c7bbd06f0040c4d44f255c081cea93a215b 100644 (file)
@@ -979,14 +979,19 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
                        if (!before(TCP_SKB_CB(skb)->seq, end_seq))
                                break;
 
+                       in_sack = !after(start_seq, TCP_SKB_CB(skb)->seq) &&
+                               !before(end_seq, TCP_SKB_CB(skb)->end_seq);
+
                        pcount = tcp_skb_pcount(skb);
 
-                       if (pcount > 1 &&
-                           (after(start_seq, TCP_SKB_CB(skb)->seq) ||
-                            before(end_seq, TCP_SKB_CB(skb)->end_seq))) {
+                       if (pcount > 1 && !in_sack &&
+                           after(TCP_SKB_CB(skb)->end_seq, start_seq)) {
                                unsigned int pkt_len;
 
-                               if (after(start_seq, TCP_SKB_CB(skb)->seq))
+                               in_sack = !after(start_seq,
+                                                TCP_SKB_CB(skb)->seq);
+
+                               if (!in_sack)
                                        pkt_len = (start_seq -
                                                   TCP_SKB_CB(skb)->seq);
                                else
@@ -999,9 +1004,6 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
 
                        fack_count += pcount;
 
-                       in_sack = !after(start_seq, TCP_SKB_CB(skb)->seq) &&
-                               !before(end_seq, TCP_SKB_CB(skb)->end_seq);
-
                        sacked = TCP_SKB_CB(skb)->sacked;
 
                        /* Account D-SACK for retransmitted packet. */
index c10e4435e3b1258a9ca0b5615be8af6d103142a2..b018e31b65307618dc3ed068745d7d6cbabda608 100644 (file)
@@ -435,6 +435,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
        int nsize, old_factor;
        u16 flags;
 
+       BUG_ON(len >= skb->len);
+
        nsize = skb_headlen(skb) - len;
        if (nsize < 0)
                nsize = 0;