[Top] [All Lists]

Re: [PATCH] IPV6_CHECKSUM socket option can corrupt kernel memory

To: David Stevens <dlstevens@xxxxxxxxxx>
Subject: Re: [PATCH] IPV6_CHECKSUM socket option can corrupt kernel memory
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Apr 2005 10:41:02 +1000
Cc: davem@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx, yoshfuji@xxxxxxxxxxxxxx
In-reply-to: <>
References: <> <>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Thu, Apr 14, 2005 at 05:31:38PM -0700, David Stevens wrote:
> > In fact with your patch we can end up calling ip6_flush_pending_frames
> > twice.  Granted that it is currently harmless but it isn't nice.
>         I don't see this. My original patch only calls
> ip6_flush_pending_frames() once, since the original code already only

You called ip6_flush_pending_frames() when rawv6_push_pending_frames
returned an error.  However rawv6_push_pending_frames can return an
error that was in turn returned by ip6_push_pending_frames.

As you know ip6_push_pending_frames always frees the cork buffer so
this is tantamount to calling ip6_flush_pending_frames twice.
>         I saw that in the code, but I also saw a 2K single skb when the
> MTU is 1500. A piece I looked at appeared to be allocating space for

That's definitely wrong.  Please give us a test case (or patch :) so
that this can be fixed.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>