sctp: Fix SKB list traversal in sctp_intl_store_reasm(). (348bbc25) · Commits · e / devices / android_kernel_fairphone_FP5

net/sctp/stream_interleave.c

+12 −5

Original line number	Diff line number	Diff line
		@@ -140,7 +140,7 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq,
		struct sctp_ulpevent *event)
		{
		struct sctp_ulpevent *cevent;
		struct sk_buff *pos;
		struct sk_buff pos, loc;

		pos = skb_peek_tail(&ulpq->reasm);
		if (!pos) {
		@@ -166,23 +166,30 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq,
		return;
		}

		loc = NULL;
		skb_queue_walk(&ulpq->reasm, pos) {
		cevent = sctp_skb2event(pos);

		if (event->stream < cevent->stream \|\|
		(event->stream == cevent->stream &&
		MID_lt(event->mid, cevent->mid)))
		MID_lt(event->mid, cevent->mid))) {
		loc = pos;
		break;

		}
		if (event->stream == cevent->stream &&
		event->mid == cevent->mid &&
		!(cevent->msg_flags & SCTP_DATA_FIRST_FRAG) &&
		(event->msg_flags & SCTP_DATA_FIRST_FRAG \|\|
		event->fsn < cevent->fsn))
		event->fsn < cevent->fsn)) {
		loc = pos;
		break;
		}
		}

		__skb_queue_before(&ulpq->reasm, pos, sctp_event2skb(event));
		if (!loc)
		__skb_queue_tail(&ulpq->reasm, sctp_event2skb(event));
		else
		__skb_queue_before(&ulpq->reasm, loc, sctp_event2skb(event));
		}

		static struct sctp_ulpevent *sctp_intl_retrieve_partial(