#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 65d6e954e378 diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 0665e8b09968..7978335c1fc4 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1517,8 +1517,10 @@ static int __ip6_append_data(struct sock *sk, rt->rt6i_nfheader_len; if (mtu <= fragheaderlen || - ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) + ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) { + printk("__%u__: EMSGSIZE\n", __LINE__); goto emsgsize; + } maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr); @@ -1526,8 +1528,10 @@ static int __ip6_append_data(struct sock *sk, /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit * the first fragment */ - if (headersize + transhdrlen > mtu) + if (headersize + transhdrlen > mtu) { + printk("__%u__: EMSGSIZE\n", __LINE__); goto emsgsize; + } if (cork->length + length > mtu - headersize && ipc6->dontfrag && (sk->sk_protocol == IPPROTO_UDP || @@ -1535,15 +1539,23 @@ static int __ip6_append_data(struct sock *sk, sk->sk_protocol == IPPROTO_RAW)) { ipv6_local_rxpmtu(sk, fl6, mtu - headersize + sizeof(struct ipv6hdr)); + printk("__%u__: EMSGSIZE\n", __LINE__); goto emsgsize; } - if (ip6_sk_ignore_df(sk)) + if (ip6_sk_ignore_df(sk)) { maxnonfragsize = sizeof(struct ipv6hdr) + IPV6_MAXPLEN; - else + printk("MAXPLEN\n"); + } else { maxnonfragsize = mtu; + printk("mtu\n"); + } + printk("check %d %zd %d %d, %d %d\n", + cork->length, length, maxnonfragsize, headersize, + transhdrlen, mtu); if (cork->length + length > maxnonfragsize - headersize) { + printk("__%u__: EMSGSIZE\n", __LINE__); emsgsize: pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0); ipv6_local_error(sk, EMSGSIZE, fl6, pmtu); @@ -1817,8 +1829,10 @@ static int __ip6_append_data(struct sock *sk, if (!skb_can_coalesce(skb, i, pfrag->page, pfrag->offset)) { err = -EMSGSIZE; - if (i == MAX_SKB_FRAGS) + if (i == MAX_SKB_FRAGS) { + printk("__%u__: EMSGSIZE\n", __LINE__); goto error; + } __skb_fill_page_desc(skb, i, pfrag->page, pfrag->offset, 0); diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index ed8ebb6f5909..daaaf60dce01 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -502,6 +502,8 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) int ulen; int err; + printk("%s()\n", __func__); + /* Rough check on arithmetic overflow, * better check is made in ip6_append_data(). */