Patchwork [Bug,11633] Kernel panic after patch f3994eceebf64cf356a82ffb2718ef538eb8d4f4

login
register
mail settings
Submitter Herbert Xu
Date Sept. 25, 2008, 3:25 a.m.
Message ID <20080925032554.GA16155@gondor.apana.org.au>
Download mbox | patch
Permalink /patch/1430/
State Accepted
Delegated to: David Miller
Headers show

Comments

Herbert Xu - Sept. 25, 2008, 3:25 a.m.
On Wed, Sep 24, 2008 at 07:49:55PM -0700, David Miller wrote:
> 
> I'll integrate this when I next get a chance.

Thanks!

Oh and to make it more obvious in future:

net: BUG instead of corrupting memory in pskb_expand_head

If the caller of pskb_expand_head specifies a negative nhead
we'll silently overwrite other people's memory.  This patch
makes it BUG instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>


Cheers,
David Miller - Oct. 1, 2008, 2:10 p.m.
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 25 Sep 2008 11:25:54 +0800

> net: BUG instead of corrupting memory in pskb_expand_head
> 
> If the caller of pskb_expand_head specifies a negative nhead
> we'll silently overwrite other people's memory.  This patch
> makes it BUG instead.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied to net-next-2.6, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index ca1ccdf..3fad166 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -701,6 +701,8 @@  int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 #endif
 	long off;
 
+	BUG_ON(nhead < 0);
+
 	if (skb_shared(skb))
 		BUG();