[TIPC] Fixed sk_buff panic caused by tipc_link_bundle_buf (REVISED)

The recent change to direct inspection of bundle buffer tailroom did not account for the possiblity of unrequested tailroom added by skb_alloc(), thereby allowing a bundle to be created that exceeds the current link MTU. An additional check now ensures that bundling works correctly no matter if the bundle buffer is smaller, larger, or equal to the link MTU. Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Per Liden <per.liden@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Allan Stephens <allan.stephens@windriver.com> 2006-07-04 02:39:36 (GMT)
committer: David S. Miller <davem@davemloft.net> 2006-07-04 02:39:36 (GMT)
commit: 863fae666acb87b150f4634e6e79476ebe274f43 (patch)
tree: 59b09c818b986972dc831f43a81ada63f3f824f3 /net/tipc/link.c
parent: bbcf467dab42ea3c85f368df346c82af2fbba665 (diff)
download: linux-fsl-qoriq-863fae666acb87b150f4634e6e79476ebe274f43.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c6831c7..c10e18a 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -998,6 +998,8 @@ static int link_bundle_buf(struct link *l_ptr,
 		return 0;
 	if (skb_tailroom(bundler) < (pad + size))
 		return 0;
+	if (link_max_pkt(l_ptr) < (to_pos + size))
+		return 0;
 
 	skb_put(bundler, pad + size);
 	memcpy(bundler->data + to_pos, buf->data, size);
author	Allan Stephens <allan.stephens@windriver.com>	2006-07-04 02:39:36 (GMT)
committer	David S. Miller <davem@davemloft.net>	2006-07-04 02:39:36 (GMT)
commit	863fae666acb87b150f4634e6e79476ebe274f43 (patch)
tree	59b09c818b986972dc831f43a81ada63f3f824f3 /net/tipc/link.c
parent	bbcf467dab42ea3c85f368df346c82af2fbba665 (diff)
download	linux-fsl-qoriq-863fae666acb87b150f4634e6e79476ebe274f43.tar.xz