Commit 64380a04 authored by Erik Hugne's avatar Erik Hugne Committed by David S. Miller

tipc: fix message corruption bug for deferred packets

If a packet received on a link is out-of-sequence, it will be
placed on a deferred queue and later reinserted in the receive
path once the preceding packets have been processed. The problem
with this is that it will be subject to the buffer adjustment from
link_recv_buf_validate twice. The second adjustment for 20 bytes
header space will corrupt the packet.

We solve this by tagging the deferred packets and bail out from
receive buffer validation for packets that have already been
subjected to this.
Signed-off-by: default avatarErik Hugne <erik.hugne@ericsson.com>
Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d15891ca
...@@ -192,6 +192,7 @@ static inline void k_term_timer(struct timer_list *timer) ...@@ -192,6 +192,7 @@ static inline void k_term_timer(struct timer_list *timer)
struct tipc_skb_cb { struct tipc_skb_cb {
void *handle; void *handle;
bool deferred;
}; };
#define TIPC_SKB_CB(__skb) ((struct tipc_skb_cb *)&((__skb)->cb[0])) #define TIPC_SKB_CB(__skb) ((struct tipc_skb_cb *)&((__skb)->cb[0]))
......
...@@ -1391,6 +1391,12 @@ static int link_recv_buf_validate(struct sk_buff *buf) ...@@ -1391,6 +1391,12 @@ static int link_recv_buf_validate(struct sk_buff *buf)
u32 hdr_size; u32 hdr_size;
u32 min_hdr_size; u32 min_hdr_size;
/* If this packet comes from the defer queue, the skb has already
* been validated
*/
if (unlikely(TIPC_SKB_CB(buf)->deferred))
return 1;
if (unlikely(buf->len < MIN_H_SIZE)) if (unlikely(buf->len < MIN_H_SIZE))
return 0; return 0;
...@@ -1703,6 +1709,7 @@ static void link_handle_out_of_seq_msg(struct tipc_link *l_ptr, ...@@ -1703,6 +1709,7 @@ static void link_handle_out_of_seq_msg(struct tipc_link *l_ptr,
&l_ptr->newest_deferred_in, buf)) { &l_ptr->newest_deferred_in, buf)) {
l_ptr->deferred_inqueue_sz++; l_ptr->deferred_inqueue_sz++;
l_ptr->stats.deferred_recv++; l_ptr->stats.deferred_recv++;
TIPC_SKB_CB(buf)->deferred = true;
if ((l_ptr->deferred_inqueue_sz % 16) == 1) if ((l_ptr->deferred_inqueue_sz % 16) == 1)
tipc_link_send_proto_msg(l_ptr, STATE_MSG, 0, 0, 0, 0, 0); tipc_link_send_proto_msg(l_ptr, STATE_MSG, 0, 0, 0, 0, 0);
} else } else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment