From patchwork Wed Feb 13 23:40:21 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: net: Convert skb->csum_(start|offset) integrity BUG_ON() to WARN_ON() & drop Date: Wed, 13 Feb 2013 13:40:21 -0000 From: Thomas Graf X-Patchwork-Id: 220301 Message-Id: <20130213234021.GA21829@casper.infradead.org> To: davem@davemloft.net Cc: netdev@vger.kernel.org skb_checksum_help() verifies the integrity of skb->csum_start and skb->csum_offset with BUG_ON()s. They have been hit with IPoIB which uses a 64K MTU. If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start. This in turn will trigger the BUG_ON() in skb_checksum_help(). Convert these to WARN_ON() and drop the packet. Signed-off-by: Thomas Graf --- net/core/dev.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/dev.c b/net/core/dev.c index f64e439..629d22e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2047,11 +2047,14 @@ int skb_checksum_help(struct sk_buff *skb) } offset = skb_checksum_start_offset(skb); - BUG_ON(offset >= skb_headlen(skb)); + if (WARN_ON(offset >= skb_headlen(skb))) + return -ERANGE; + csum = skb_checksum(skb, offset, skb->len - offset, 0); offset += skb->csum_offset; - BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb)); + if (WARN_ON(offset + sizeof(__sum16) > skb_headlen(skb))) + return -ERANGE; if (skb_cloned(skb) && !skb_clone_writable(skb, offset + sizeof(__sum16))) {