Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 13e9b997 authored by Jon Paul Maloy's avatar Jon Paul Maloy Committed by David S. Miller
Browse files

tipc: make tipc_buf_append() more robust 



As per comment from David Miller, we try to make the buffer reassembly
function more resilient to user errors than it is today.

- We check that the "*buf" parameter always is set, since this is
  mandatory input.

- We ensure that *buf->next always is set to NULL before linking in
  the buffer, instead of relying of the caller to have done this.

- We ensure that the "tail" pointer in the head buffer's control
  block is initialized to NULL when the first fragment arrives.

Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3fd0202a

net/tipc/msg.c

+21 −8
Original line number Diff line number Diff line
@@ -72,27 +72,38 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) 
	struct sk_buff *head = *headbuf;

	struct sk_buff *frag = *buf;

	struct sk_buff *tail;

	struct tipc_msg *msg = buf_msg(frag);

	u32 fragid = msg_type(msg);

	bool headstolen;

	struct tipc_msg *msg;

	u32 fragid;

	int delta;

	bool headstolen;



	if (!frag)

		goto err;



	msg = buf_msg(frag);

	fragid = msg_type(msg);

	frag->next = NULL;

	skb_pull(frag, msg_hdr_sz(msg));



	if (fragid == FIRST_FRAGMENT) {

		if (head || skb_unclone(frag, GFP_ATOMIC))

			goto out_free;

		if (unlikely(head))

			goto err;

		if (unlikely(skb_unclone(frag, GFP_ATOMIC)))

			goto err;

		head = *headbuf = frag;

		skb_frag_list_init(head);

		TIPC_SKB_CB(head)->tail = NULL;

		*buf = NULL;

		return 0;

	}



	if (!head)

		goto out_free;

	tail = TIPC_SKB_CB(head)->tail;

		goto err;



	if (skb_try_coalesce(head, frag, &headstolen, &delta)) {

		kfree_skb_partial(frag, headstolen);

	} else {

		tail = TIPC_SKB_CB(head)->tail;

		if (!skb_has_frag_list(head))

			skb_shinfo(head)->frag_list = frag;

		else
@@ -102,6 +113,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) 
		head->len += frag->len;

		TIPC_SKB_CB(head)->tail = frag;

	}



	if (fragid == LAST_FRAGMENT) {

		*buf = head;

		TIPC_SKB_CB(head)->tail = NULL;
@@ -110,7 +122,8 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) 
	}

	*buf = NULL;

	return 0;

out_free:



err:

	pr_warn_ratelimited("Unable to build fragment list\n");

	kfree_skb(*buf);

	kfree_skb(*headbuf);