summaryrefslogtreecommitdiffstats
path: root/net/sctp/sm_statefuns.c
diff options
context:
space:
mode:
authorVladislav Yasevich <vladsilav.yasevich@hp.com>2006-05-05 17:03:49 -0700
committerDavid S. Miller <davem@davemloft.net>2006-05-05 17:03:49 -0700
commit672e7cca17ed6036a1756ed34cf20dbd72d5e5f6 (patch)
treed4c5b340e42fb7cca4d1a5282669ffae94227fdc /net/sctp/sm_statefuns.c
parent7c3ceb4fb9667f34f1599a062efecf4cdc4a4ce5 (diff)
downloadop-kernel-dev-672e7cca17ed6036a1756ed34cf20dbd72d5e5f6.zip
op-kernel-dev-672e7cca17ed6036a1756ed34cf20dbd72d5e5f6.tar.gz
[SCTP]: Prevent possible infinite recursion with multiple bundled DATA.
There is a rare situation that causes lksctp to go into infinite recursion and crash the system. The trigger is a packet that contains at least the first two DATA fragments of a message bundled together. The recursion is triggered when the user data buffer is smaller that the full data message. The problem is that we clone the skb for every fragment in the message. When reassembling the full message, we try to link skbs from the "first fragment" clone using the frag_list. However, since the frag_list is shared between two clones in this rare situation, we end up setting the frag_list pointer of the second fragment to point to itself. This causes sctp_skb_pull() to potentially recurse indefinitely. Proposed solution is to make a copy of the skb when attempting to link things using frag_list. Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/sm_statefuns.c')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud