diff options
author | Erik Hugne <erik.hugne@ericsson.com> | 2014-02-11 11:38:26 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-02-13 16:35:05 -0500 |
commit | 64380a04deeed4720de76b086a3a4eab8dd41671 (patch) | |
tree | fff21ed581434a3ecb936c6127ae3e7905d9c3a1 /net/tipc/link.c | |
parent | d15891ca1fdd7f1f46cede1dc15bcfbf0445a658 (diff) |
tipc: fix message corruption bug for deferred packets
If a packet received on a link is out-of-sequence, it will be
placed on a deferred queue and later reinserted in the receive
path once the preceding packets have been processed. The problem
with this is that it will be subject to the buffer adjustment from
link_recv_buf_validate twice. The second adjustment for 20 bytes
header space will corrupt the packet.
We solve this by tagging the deferred packets and bail out from
receive buffer validation for packets that have already been
subjected to this.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/link.c')
-rw-r--r-- | net/tipc/link.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c index d4b5de41b68..da6018beb6e 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -1391,6 +1391,12 @@ static int link_recv_buf_validate(struct sk_buff *buf) u32 hdr_size; u32 min_hdr_size; + /* If this packet comes from the defer queue, the skb has already + * been validated + */ + if (unlikely(TIPC_SKB_CB(buf)->deferred)) + return 1; + if (unlikely(buf->len < MIN_H_SIZE)) return 0; @@ -1703,6 +1709,7 @@ static void link_handle_out_of_seq_msg(struct tipc_link *l_ptr, &l_ptr->newest_deferred_in, buf)) { l_ptr->deferred_inqueue_sz++; l_ptr->stats.deferred_recv++; + TIPC_SKB_CB(buf)->deferred = true; if ((l_ptr->deferred_inqueue_sz % 16) == 1) tipc_link_send_proto_msg(l_ptr, STATE_MSG, 0, 0, 0, 0, 0); } else |