net: BUG instead of corrupting memory in pskb_expand_head
authorHerbert Xu <herbert@gondor.apana.org.au>
Wed, 1 Oct 2008 14:09:38 +0000 (07:09 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 1 Oct 2008 14:09:38 +0000 (07:09 -0700)
If the caller of pskb_expand_head specifies a negative nhead
we'll silently overwrite other people's memory.  This patch
makes it BUG instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c

index 2c218a0808b4d5fa0a09e90ae8edac6c2b27affe..8bd248a64879bcac5f91a53659abcb281ada594a 100644 (file)
@@ -738,6 +738,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 #endif
        long off;
 
+       BUG_ON(nhead < 0);
+
        if (skb_shared(skb))
                BUG();