diff options
Diffstat (limited to 'batman-adv-Calculate-extra-tail-size-based-on-queued.patch')
| -rw-r--r-- | batman-adv-Calculate-extra-tail-size-based-on-queued.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/batman-adv-Calculate-extra-tail-size-based-on-queued.patch b/batman-adv-Calculate-extra-tail-size-based-on-queued.patch new file mode 100644 index 00000000..32ad9694 --- /dev/null +++ b/batman-adv-Calculate-extra-tail-size-based-on-queued.patch @@ -0,0 +1,61 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sat, 20 Dec 2014 13:48:55 +0100 +Subject: [PATCH] batman-adv: Calculate extra tail size based on queued + fragments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605 +("batman-adv: Receive fragmented packets and merge"). The new code provided a +mostly unused parameter skb for the merging function. It is used inside the +function to calculate the additionally needed skb tailroom. But instead of +increasing its own tailroom, it is only increasing the tailroom of the first +queued skb. This is not correct in some situations because the first queued +entry can be a different one than the parameter. + +An observed problem was: + +1. packet with size 104, total_size 1464, fragno 1 was received + - packet is queued +2. packet with size 1400, total_size 1464, fragno 0 was received + - packet is queued at the end of the list +3. enough data was received and can be given to the merge function + (1464 == (1400 - 20) + (104 - 20)) + - merge functions gets 1400 byte large packet as skb argument +4. merge function gets first entry in queue (104 byte) + - stored as skb_out +5. merge function calculates the required extra tail as total_size - skb->len + - pskb_expand_head tail of skb_out with 64 bytes +6. merge function tries to squeeze the extra 1380 bytes from the second queued + skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out + +Instead calculate the extra required tail bytes for skb_out also using skb_out +instead of using the parameter skb. The skb parameter is only used to get the +total_size from the last received packet. This is also the total_size used to +decide that all fragments were received. + +Reported-by: Philipp Psurek <philipp.psurek@gmail.com> +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Acked-by: Martin Hundebøll <martin@hundeboll.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/batman-adv/fragmentation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index fc1835c6bb40..8af3461d18d2 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) + kfree(entry); + + /* Make room for the rest of the fragments. */ +- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { ++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { + kfree_skb(skb_out); + skb_out = NULL; + goto free; +-- +2.1.0 + |