From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Shan Wei <shanwei@cn.fujitsu.com>,
Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>
Subject: [17/25] ipv6: udp: fix the wrong headroom check
Date: Tue, 22 Nov 2011 16:21:07 -0800 [thread overview]
Message-ID: <20111123002208.595716630@clark.kroah.org> (raw)
In-Reply-To: <20111123002222.GA2376@kroah.com>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
Content-Length: 1099
Lines: 35
From: Shan Wei <shanwei@cn.fujitsu.com>
commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream.
At this point, skb->data points to skb_transport_header.
So, headroom check is wrong.
For some case:bridge(UFO is on) + eth device(UFO is off),
there is no enough headroom for IPv6 frag head.
But headroom check is always false.
This will bring about data be moved to there prior to skb->head,
when adding IPv6 frag header to skb.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv6/udp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1141,7 +1141,7 @@ static struct sk_buff *udp6_ufo_fragment
skb->ip_summed = CHECKSUM_NONE;
/* Check if there is enough headroom to insert fragment header. */
- if ((skb_headroom(skb) < frag_hdr_sz) &&
+ if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
goto out;
next prev parent reply other threads:[~2011-11-23 0:33 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-23 0:22 [00/25] 2.6.32.49-longterm review Greg KH
2011-11-23 0:20 ` [01/25] [SCSI] st: fix race in st_scsi_execute_end Greg KH
2011-11-23 0:20 ` [02/25] [SCSI] Make scsi_free_queue() kill pending SCSI commands Greg KH
2011-11-23 0:20 ` [03/25] NFS/sunrpc: dont use a credential with extra groups Greg KH
2011-11-23 0:20 ` [04/25] netlink: validate NLA_MSECS length Greg KH
2011-11-23 0:20 ` [05/25] mtd: mtdchar: add missing initializer on raw write Greg KH
2011-11-23 0:20 ` [06/25] PM / Suspend: Off by one in pm_suspend() Greg KH
2011-11-23 0:20 ` [07/25] hfs: add sanity check for file name length Greg KH
2011-11-23 0:20 ` [08/25] kbuild: Disable -Wunused-but-set-variable for gcc 4.6.0 Greg KH
2011-11-23 0:20 ` [09/25] ASoC: wm8940: Properly set codec->dapm.bias_level Greg KH
2011-11-23 0:21 ` [10/25] md/raid5: abort any pending parity operations when array fails Greg KH
2011-11-23 0:21 ` [11/25] [media] Remove the old V4L1 v4lgrab.c file Greg KH
2011-11-23 0:21 ` [12/25] Revert "ALSA: hda: Fix quirk for Dell Inspiron 910" Greg KH
2011-11-23 0:21 ` [13/25] drm/i915: Sanity check pread/pwrite Greg KH
2011-11-23 0:21 ` [14/25] drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow Greg KH
2011-11-23 0:21 ` [15/25] genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier Greg KH
2011-11-23 0:21 ` [16/25] mm: avoid null pointer access in vm_struct via /proc/vmallocinfo Greg KH
2011-11-23 0:21 ` Greg KH [this message]
2011-11-23 0:21 ` [18/25] kbuild: Fix passing -Wno-* options to gcc 4.4+ Greg KH
2011-11-23 0:21 ` [19/25] USB: serial: pl2303: rm duplicate id Greg KH
2011-11-23 0:21 ` [20/25] USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c Greg KH
2011-11-23 0:21 ` [21/25] usb-storage: Accept 8020i-protocol commands longer than 12 bytes Greg KH
2011-11-23 0:21 ` [22/25] USB: add quirk for Logitech C600 web cam Greg KH
2011-11-23 0:21 ` [23/25] USB: quirks: adding more quirky webcams to avoid squeaky audio Greg KH
2011-11-23 0:21 ` [24/25] tty: Make tiocgicount a handler Greg KH
2011-11-23 0:21 ` [25/25] tty: icount changeover for other main devices Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111123002208.595716630@clark.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=shanwei@cn.fujitsu.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox