Doug / smarc-fsl-linux-kernel

Download as
Browse Code »

Commit 6e42141009ff18297fe19d19296738b742f861db

Authored by Ilpo Järvinen
Committed by David S. Miller
1 parent 1f8170b0ec
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

[TCP] MTUprobe: fix potential sk_send_head corruption 

When the abstraction functions got added, conversion here was
made incorrectly. As a result, the skb may end up pointing
to skb which got included to the probe skb and then was freed.
For it to trigger, however, skb_transmit must fail sending as
well.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 2 changed files with 3 additions and 1 deletions Side-by-side Diff

... ... @@ -1288,6 +1288,9 @@
1288 1288 struct sock *sk)
1289 1289 {
1290 1290 __skb_insert(new, skb->prev, skb, &sk->sk_write_queue);
  1291 +
  1292 + if (sk->sk_send_head == skb)
  1293 + sk->sk_send_head = new;
1291 1294 }
1292 1295  
1293 1296 static inline void tcp_unlink_write_queue(struct sk_buff *skb, struct sock *sk)
net/ipv4/tcp_output.c
Diff comments   View file @ 6e42141
... ... @@ -1352,7 +1352,6 @@
1352 1352  
1353 1353 skb = tcp_send_head(sk);
1354 1354 tcp_insert_write_queue_before(nskb, skb, sk);
1355   - tcp_advance_send_head(sk, skb);
1356 1355  
1357 1356 TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(skb)->seq;
1358 1357 TCP_SKB_CB(nskb)->end_seq = TCP_SKB_CB(skb)->seq + probe_size;