Wanting to play a bit with v6 fragmentation I started using ping6 to
send various message sizes. Noticed that messages of sizes just under
where fragmentation would kick in, segfaulted in ip6_build_xmit().
Looks like ip6_build_xmit does not allocate room for the
dev->hard_header_len on the non-fragmentation path as is done in other
places. The hard header len gets reserved even though room was not
allocated for it. Consequenetly, the put of the raw data can overflow
the skb.
Patch below for your consideration.
Best Regards,
Jon Grimm
--- lksctp-2.5/net/ipv6/ip6_output.c Fri Mar 21 17:27:00 2003
+++ lksctp-2.5.work/net/ipv6/ip6_output.c Fri Mar 21 17:24:38 2003
@@ -643,7 +643,8 @@
if (flags&MSG_PROBE)
goto out;
/* alloc skb with mtu as we do in the IPv4 stack for IPsec */
- skb = sock_alloc_send_skb(sk, mtu, flags & MSG_DONTWAIT, &err);
+ skb = sock_alloc_send_skb(sk, mtu + dev->hard_header_len + 15,
+ flags & MSG_DONTWAIT, &err);
if (skb == NULL) {
IP6_INC_STATS(Ip6OutDiscards);
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
