ipv6: udp: fix the wrong headroom check
authorShan Wei <shanwei@cn.fujitsu.com>
Tue, 19 Apr 2011 22:52:49 +0000 (22:52 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 21 Apr 2011 17:39:10 +0000 (10:39 -0700)
At this point, skb->data points to skb_transport_header.
So, headroom check is wrong.

For some case:bridge(UFO is on) + eth device(UFO is off),
there is no enough headroom for IPv6 frag head.
But headroom check is always false.

This will bring about data be moved to there prior to skb->head,
when adding IPv6 frag header to skb.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/udp.c

index 15c37746845ed1ad678866756b4057421b7f3f0a..9e305d74b3d41a99a065da67fe54bd3a4a9ebaa6 100644 (file)
@@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
        skb->ip_summed = CHECKSUM_NONE;
 
        /* Check if there is enough headroom to insert fragment header. */
-       if ((skb_headroom(skb) < frag_hdr_sz) &&
+       if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
            pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
                goto out;