Commit 0e033e04 authored Nov 05, 2013 by Hannes Frederic Sowa Committed by David S. Miller Nov 05, 2013

ipv6: fix headroom calculation in udp6_ufo_fragment



Commit 1e2bd517 ("udp6: Fix udp
fragmentation for tunnel traffic.") changed the calculation if
there is enough space to include a fragment header in the skb from a
skb->mac_header dervived one to skb_headroom. Because we already peeled
off the skb to transport_header this is wrong. Change this back to check
if we have enough room before the mac_header.

This fixes a panic Saran Neti reported. He used the tbf scheduler which
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
because the skb was erroneously not expanded at the head.

Reported-by: Saran Neti <Saran.Neti@telus.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 1cce16d3

net/ipv6/udp_offload.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -90,7 +90,7 @@ static struct sk_buff udp6_ufo_fragment(struct sk_buff skb,

		/* Check if there is enough headroom to insert fragment header. */
		tnl_hlen = skb_tnl_header_len(skb);
		if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
		if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
		if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
		goto out;
		}