From: Mike Maloney <maloneyker...@gmail.com> Date: Wed, 10 Jan 2018 12:45:10 -0500
> From: Mike Maloney <malo...@google.com> > > The logic in __ip6_append_data() assumes that the MTU is at least large > enough for the headers. A device's MTU may be adjusted after being > added while sendmsg() is processing data, resulting in > __ip6_append_data() seeing any MTU. For an mtu smaller than the size of > the fragmentation header, the math results in a negative 'maxfraglen', > which causes problems when refragmenting any previous skb in the > skb_write_queue, leaving it possibly malformed. > > Instead sendmsg returns EINVAL when the mtu is calculated to be less > than IPV6_MIN_MTU. ... > Reported-by: syzbot <syzkal...@googlegroups.com> > Signed-off-by: Mike Maloney <malo...@google.com> Applied and queued up for -stable, thank you.
