diff options
| author | Hannes Frederic Sowa <hannes@stressinduktion.org> | 2013-09-21 06:27:00 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-10-13 14:51:07 -0700 |
| commit | daf468318a3a1548bf5cf8b1be493af104f5868f (patch) | |
| tree | c87caff65c16241727b6299fcf5d4b751f5ff713 /drivers | |
| parent | a9092e91e01a1f1902c24d1d55cad8a472c282d0 (diff) | |
| download | kernel_samsung_smdk4412-daf468318a3a1548bf5cf8b1be493af104f5868f.zip kernel_samsung_smdk4412-daf468318a3a1548bf5cf8b1be493af104f5868f.tar.gz kernel_samsung_smdk4412-daf468318a3a1548bf5cf8b1be493af104f5868f.tar.bz2 | |
ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
[ Upstream commit 2811ebac2521ceac84f2bdae402455baa6a7fb47 ]
In the following scenario the socket is corked:
If the first UDP packet is larger then the mtu we try to append it to the
write queue via ip6_ufo_append_data. A following packet, which is smaller
than the mtu would be appended to the already queued up gso-skb via
plain ip6_append_data. This causes random memory corruptions.
In ip6_ufo_append_data we also have to be careful to not queue up the
same skb multiple times. So setup the gso frame only when no first skb
is available.
This also fixes a shortcoming where we add the current packet's length to
cork->length but return early because of a packet > mtu with dontfrag set
(instead of sutracting it again).
Found with trinity.
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions