[TIPC] Fixed sk_buff panic caused by tipc_link_bundle_buf (REVISED)

The recent change to direct inspection of bundle buffer tailroom did not account for the possiblity of unrequested tailroom added by skb_alloc(), thereby allowing a bundle to be created that exceeds the current link MTU. An additional check now ensures that bundling works correctly no matter if the bundle buffer is smaller, larger, or equal to the link MTU. Signed-off-by: Allan Stephens <[email protected]> Signed-off-by: Per Liden <[email protected]> Signed-off-by: David S. Miller <[email protected]>
akeromi · Jul 4, 2006 · 863fae6 · 863fae6
1 parent bbcf467
commit 863fae6
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/net/tipc/core.h b/net/tipc/core.h
@@ -297,7 +297,10 @@ static inline struct tipc_msg *buf_msg(struct sk_buff *skb)
  * buf_acquire - creates a TIPC message buffer
  * @size: message size (including TIPC header)
  *
- * Returns a new buffer.  Space is reserved for a data link header.
+ * Returns a new buffer with data pointers set to the specified size.
+ * 
+ * NOTE: Headroom is reserved to allow prepending of a data link header.
+ *       There may also be unrequested tailroom present at the buffer's end.
  */
 
 static inline struct sk_buff *buf_acquire(u32 size)

diff --git a/net/tipc/link.c b/net/tipc/link.c
@@ -998,6 +998,8 @@ static int link_bundle_buf(struct link *l_ptr,
 		return 0;
 	if (skb_tailroom(bundler) < (pad + size))
 		return 0;
+	if (link_max_pkt(l_ptr) < (to_pos + size))
+		return 0;
 
 	skb_put(bundler, pad + size);
 	memcpy(bundler->data + to_pos, buf->data, size);