| Message ID | 4DAE9EE1.1050405@cn.fujitsu.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, Apr 20, 2011 at 04:52:49PM +0800, Shan Wei wrote: > At this point, skb->data points to skb_transport_header. > So, headroom check is wrong. > > For some case:bridge(UFO is on) + eth device(UFO is off), > there is no enough headroom for IPv6 frag head. > But headroom check is always false. > > This will bring about data be moved to there prior to skb->head, > when adding IPv6 frag header to skb. > > Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Ouch. Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks,
From: Herbert Xu <herbert@gondor.apana.org.au> Date: Wed, 20 Apr 2011 18:50:07 +0800 > On Wed, Apr 20, 2011 at 04:52:49PM +0800, Shan Wei wrote: >> At this point, skb->data points to skb_transport_header. >> So, headroom check is wrong. >> >> For some case:bridge(UFO is on) + eth device(UFO is off), >> there is no enough headroom for IPv6 frag head. >> But headroom check is always false. >> >> This will bring about data be moved to there prior to skb->head, >> when adding IPv6 frag header to skb. >> >> Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> > > Ouch. > > Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 15c3774..9e305d7 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) skb->ip_summed = CHECKSUM_NONE; /* Check if there is enough headroom to insert fragment header. */ - if ((skb_headroom(skb) < frag_hdr_sz) && + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) && pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC)) goto out;
At this point, skb->data points to skb_transport_header. So, headroom check is wrong. For some case:bridge(UFO is on) + eth device(UFO is off), there is no enough headroom for IPv6 frag head. But headroom check is always false. This will bring about data be moved to there prior to skb->head, when adding IPv6 frag header to skb. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> --- net/ipv6/udp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)