BUG in 2.2.22 skb_realloc_headroom()

• Next message: Antonino Daplas: "Re: [BK updates] fbdev changes updates."
• Previous message: Randy.Dunlap: "[PATCH] (trivial) remove double-init in /proc/ksyms"
• Next in thread: James Morris: "Re: BUG in 2.2.22 skb_realloc_headroom()"
• Reply: James Morris: "Re: BUG in 2.2.22 skb_realloc_headroom()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kernel: 2.2.22
File: net/core/skbuff.c

skb_realloc_headroom() panics when new headroom is smaller
than existing headroom. Specifically the skb_put() fails
and calls skb_over_panic() because the new buffer is too
small.

When skb_realloc_headroom() is called from skb_cow(), it
can be called when the existing headroom size is >=
the desired headroom but the packet in question is cloned.

Then skb_realloc_headroom() allocates

 skb_alloc( skb->truesize + new_headroom - old_headroom )

but if the old_headroom > new_headroom then the resulting
buffer is too small to hold new_headroom + skb->len.

I found this when running tethereal (thus causing the packets
to be cloned for libpcap) and passing data from an acenic,
which allocates 48 bytes of headroom in its skbuff's, to
another ethernet device, which needs only 14 (rounded to 16)
bytes of headroom for the ethernet header.

Here's how I think it should be fixed:

-- 
-- Nicolas Dade    http://nsd.dyndns.org/

• text/plain attachment: skb_realloc_headroom.diff

• Next message: Antonino Daplas: "Re: [BK updates] fbdev changes updates."
• Previous message: Randy.Dunlap: "[PATCH] (trivial) remove double-init in /proc/ksyms"
• Next in thread: James Morris: "Re: BUG in 2.2.22 skb_realloc_headroom()"
• Reply: James Morris: "Re: BUG in 2.2.22 skb_realloc_headroom()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:46 EST