From: Dan Aloni <da-x@monatomic.org>
To: Linux Kernel List <linux-kernel@vger.kernel.org>
Cc: netdev@vger.kernel.org
Subject: [PATCH] tcp_sendpage(): fix broken page iteration
Date: Sun, 18 Mar 2007 14:43:46 +0200 [thread overview]
Message-ID: <20070318124346.GA6396@localdomain> (raw)
do_tcp_sendpages() should not iterate 'pages' as an array since
it is not an array of 'struct page *', but a pointer to a single
entity of 'struct page *' passed on the stack as a parameter to
tcp_send_page() (hence it would crash if poffset + psize > PAGE_SIZE,
because pages[1] and beyond most probably not constitutes a valid
'struct page *').
Since 'page' points to an array of 'struct page', the obvious fix
is to iterate that array instead, and that's what the function
should have done in the first place.
Applies to 2.6.21-rc4 and above.
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3834b10..4881c8d 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -501,7 +501,7 @@ static inline void tcp_push(struct sock *sk, struct tcp_sock *tp, int flags,
}
}
-static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset,
+static ssize_t do_tcp_sendpages(struct sock *sk, struct page *pages, int poffset,
size_t psize, int flags)
{
struct tcp_sock *tp = tcp_sk(sk);
@@ -527,7 +527,7 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
while (psize > 0) {
struct sk_buff *skb = sk->sk_write_queue.prev;
- struct page *page = pages[poffset / PAGE_SIZE];
+ struct page *page = &pages[poffset / PAGE_SIZE];
int copy, i, can_coalesce;
int offset = poffset % PAGE_SIZE;
int size = min_t(size_t, psize, PAGE_SIZE - offset);
@@ -630,7 +630,7 @@ ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset,
lock_sock(sk);
TCP_CHECK_TIMER(sk);
- res = do_tcp_sendpages(sk, &page, offset, size, flags);
+ res = do_tcp_sendpages(sk, page, offset, size, flags);
TCP_CHECK_TIMER(sk);
release_sock(sk);
return res;
--
Dan Aloni
XIV LTD, http://www.xivstorage.com
da-x (at) monatomic.org, dan (at) xiv.co.il
next reply other threads:[~2007-03-18 12:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-18 12:43 Dan Aloni [this message]
2007-03-18 12:50 ` [PATCH] tcp_sendpage(): fix broken page iteration Dan Aloni
2007-03-18 21:49 ` David Miller
2007-03-18 22:40 ` Dan Aloni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070318124346.GA6396@localdomain \
--to=da-x@monatomic.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).