Message ID | 1478098397.7065.370.camel@edumazet-glaptop3.roam.corp.google.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Wed, 02 Nov 2016 07:53:17 -0700 > From: Eric Dumazet <edumazet@google.com> > > Imagine initial value of max_skb_frags is 17, and last > skb in write queue has 15 frags. > > Then max_skb_frags is lowered to 14 or smaller value. > > tcp_sendmsg() will then be allowed to add additional page frags > and eventually go past MAX_SKB_FRAGS, overflowing struct > skb_shared_info. > > Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags") > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied and queued up for -stable, thanks.
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 3251fe71f39f..18238ef8135a 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1241,7 +1241,7 @@ int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) if (!skb_can_coalesce(skb, i, pfrag->page, pfrag->offset)) { - if (i == sysctl_max_skb_frags || !sg) { + if (i >= sysctl_max_skb_frags || !sg) { tcp_mark_push(tp, skb); goto new_segment; }