Commit e49060c7cab6ca856d048e1e10d71c0e6fedf376

Authored by Allan Stephens
Committed by David S. Miller
1 parent caf430f371

[TIPC]: Fixed skb_under_panic caused by tipc_link_bundle_buf

Now determines tailroom of bundle buffer by directly inspection of buffer.
Previously, buffer was assumed to have a max capacity equal to the link MTU,
but the addition of link MTU negotiation means that the link MTU can increase
after the bundle buffer is allocated.

Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Per Liden <per.liden@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 6 additions and 5 deletions Side-by-side Diff

... ... @@ -2,7 +2,7 @@
2 2 * net/tipc/link.c: TIPC link code
3 3 *
4 4 * Copyright (c) 1996-2006, Ericsson AB
5   - * Copyright (c) 2004-2005, Wind River Systems
  5 + * Copyright (c) 2004-2006, Wind River Systems
6 6 * All rights reserved.
7 7 *
8 8 * Redistribution and use in source and binary forms, with or without
9 9  
10 10  
... ... @@ -988,17 +988,18 @@
988 988 struct tipc_msg *bundler_msg = buf_msg(bundler);
989 989 struct tipc_msg *msg = buf_msg(buf);
990 990 u32 size = msg_size(msg);
991   - u32 to_pos = align(msg_size(bundler_msg));
992   - u32 rest = link_max_pkt(l_ptr) - to_pos;
  991 + u32 bundle_size = msg_size(bundler_msg);
  992 + u32 to_pos = align(bundle_size);
  993 + u32 pad = to_pos - bundle_size;
993 994  
994 995 if (msg_user(bundler_msg) != MSG_BUNDLER)
995 996 return 0;
996 997 if (msg_type(bundler_msg) != OPEN_MSG)
997 998 return 0;
998   - if (rest < align(size))
  999 + if (skb_tailroom(bundler) < (pad + size))
999 1000 return 0;
1000 1001  
1001   - skb_put(bundler, (to_pos - msg_size(bundler_msg)) + size);
  1002 + skb_put(bundler, pad + size);
1002 1003 memcpy(bundler->data + to_pos, buf->data, size);
1003 1004 msg_set_size(bundler_msg, to_pos + size);
1004 1005 msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1);