Skip to content

Commit

Permalink
skbuff: don't corrupt mac_header on skb expansion
Browse files Browse the repository at this point in the history 
The skb mac_header field is sometimes NULL (or ~0u) as a sentinel
value. The places where skb is expanded add an offset which would
change this flag into an invalid pointer (or offset).

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@davem330
Stephen Hemminger authored and davem330 committed Jun 18, 2009
1 parent 19633e1 commit 603a8bb
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions net/core/skbuff.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -661,7 +661,8 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
/* {transport,network,mac}_header are relative to skb->head */
new->transport_header += offset;
new->network_header += offset;
new->mac_header += offset;
if (skb_mac_header_was_set(new))
new->mac_header += offset;
#endif
skb_shinfo(new)->gso_size = skb_shinfo(old)->gso_size;
skb_shinfo(new)->gso_segs = skb_shinfo(old)->gso_segs;
Expand Down Expand Up @@ -843,7 +844,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
skb->tail += off;
skb->transport_header += off;
skb->network_header += off;
skb->mac_header += off;
if (skb_mac_header_was_set(skb))
skb->mac_header += off;
skb->csum_start += nhead;
skb->cloned = 0;
skb->hdr_len = 0;
Expand Down Expand Up @@ -935,7 +937,8 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
#ifdef NET_SKBUFF_DATA_USES_OFFSET
n->transport_header += off;
n->network_header += off;
n->mac_header += off;
if (skb_mac_header_was_set(skb))
n->mac_header += off;
#endif

return n;
Expand Down

0 comments on commit 603a8bb

Please sign in to comment.