when trying to track down a bug reported by users of isdn multilink ppp
(apparently somehow an skb with insufficient header space gets passed
down to the netdevice), I realized a potential bug in
ip_output.c:ip_queue_xmit(). After re_allocation of headroom,
skb_set_owner_w() is called for the old and already freed skb instead
of the new one.
Although this bug is probably not responsible for the isdn problem
mentioned above, I think something like the following (or just move
the "skb = skb2" upwards) patch should go in 2.2.13 and *-ac
(havn't checked whether the patch also qualifies for 2.3.x yet.)
Henner
--- linux-2.2.12/net/ipv4/ip_output.c.orig Tue Aug 31 18:03:14 1999
+++ linux-2.2.12/net/ipv4/ip_output.c Tue Aug 31 18:04:12 1999
@@ -315,17 +315,17 @@
if (skb_headroom(skb) < dev->hard_header_len && dev->hard_header) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, (dev->hard_header_len + 15) & ~15);
kfree_skb(skb);
if (skb2 == NULL)
return;
if (sk)
- skb_set_owner_w(skb, sk);
+ skb_set_owner_w(skb2, sk);
skb = skb2;
iph = skb->nh.iph;
}
/* Do we need to fragment. Again this is inefficient. We
* need to somehow lock the original buffer and use bits of it.
*/
if (tot_len > rt->u.dst.pmtu)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/