diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2005-09-14 20:50:35 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-09-14 20:50:35 -0700 |
commit | 3c05d92ed49f644d1f5a960fa48637d63b946016 (patch) | |
tree | 4882f2b114f7bb497e9844e21fe8bff4f8160def /net/ipv4/tcp_output.c | |
parent | 1619cca2921f6927f4240e03f413d4165c7002fc (diff) | |
download | lwn-3c05d92ed49f644d1f5a960fa48637d63b946016.tar.gz lwn-3c05d92ed49f644d1f5a960fa48637d63b946016.zip |
[TCP]: Compute in_sacked properly when we split up a TSO frame.
The problem is that the SACK fragmenting code may incorrectly call
tcp_fragment() with a length larger than the skb->len. This happens
when the skb on the transmit queue completely falls to the LHS of the
SACK.
And add a BUG() check to tcp_fragment() so we can spot this kind of
error more quickly in the future.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_output.c')
-rw-r--r-- | net/ipv4/tcp_output.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index c10e4435e3b1..b018e31b6530 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -435,6 +435,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss int nsize, old_factor; u16 flags; + BUG_ON(len >= skb->len); + nsize = skb_headlen(skb) - len; if (nsize < 0) nsize = 0; |