-
Patrick McHardy authored
This check is wrong, gcc optimizes it away: if ((len -= sizeof(pi)) > len) return -EINVAL; This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or 1 byte. skb_reserve tries to reserve 2 bytes and things explode in skb_put. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
1ca45a72