[NET]: Fix segmentation of linear packets
authorHerbert Xu <herbert@gondor.apana.org.au>
Sun, 29 Oct 2006 23:59:41 +0000 (15:59 -0800)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 30 Oct 2006 23:24:36 +0000 (15:24 -0800)
skb_segment fails to segment linear packets correctly because it
tries to write all linear parts of the original skb into each
segment.  This will always panic as each segment only contains
enough space for one MSS.

This was not detected earlier because linear packets should be
rare for GSO.  In fact it still remains to be seen what exactly
created the linear packets that triggered this bug.  Basically
the only time this should happen is if someone enables GSO
emulation on an interface that does not support SG.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c

index 3c23760c5827518769f14ea3eaaa8fefb1e73397..f735455dc5d178c2d61f001e007e03fe8a86b5e4 100644 (file)
@@ -1946,7 +1946,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
        do {
                struct sk_buff *nskb;
                skb_frag_t *frag;
-               int hsize, nsize;
+               int hsize;
                int k;
                int size;
 
@@ -1957,11 +1957,10 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
                hsize = skb_headlen(skb) - offset;
                if (hsize < 0)
                        hsize = 0;
-               nsize = hsize + doffset;
-               if (nsize > len + doffset || !sg)
-                       nsize = len + doffset;
+               if (hsize > len || !sg)
+                       hsize = len;
 
-               nskb = alloc_skb(nsize + headroom, GFP_ATOMIC);
+               nskb = alloc_skb(hsize + doffset + headroom, GFP_ATOMIC);
                if (unlikely(!nskb))
                        goto err;