On Sun, Dec 02, 2007 at 12:48:07AM +0200, Ilpo Järvinen wrote:
>
> @@ -1220,6 +1221,11 @@ static inline struct sk_buff 
> *tcp_write_queue_next(struct sock *sk, struct sk_bu
>       return skb->next;
>  }
> 
> +static inline struct sk_buff *tcp_write_queue_prev(struct sock *sk, struct 
> sk_buff *skb)
> +{
> +     return skb->prev;
> +}
> +
>  #define tcp_for_write_queue(skb, sk)                                 \
>               for (skb = (sk)->sk_write_queue.next;                   \
>                    (skb != (struct sk_buff *)&(sk)->sk_write_queue);  \
> @@ -1241,6 +1247,11 @@ static inline struct sk_buff *tcp_send_head(struct 
> sock *sk)
> 
>  static inline void tcp_advance_send_head(struct sock *sk, struct sk_buff 
> *skb)
>  {
> +     struct sk_buff *prev = tcp_write_queue_prev(sk, skb);
> +
> +     TCP_SKB_CB(skb)->fack_count = TCP_SKB_CB(prev)->fack_count +
> +                                   tcp_skb_pcount(prev);
> +
>       sk->sk_send_head = skb->next;
>       if (sk->sk_send_head == (struct sk_buff *)&sk->sk_write_queue)
>               sk->sk_send_head = NULL;

This crashed my machine on boot.  The reason is that prev was empty.
I've added this fix to net-2.6.25.

[TCP]: Fix crash in tcp_advance_send_head

We need to check whether there is a prev in tcp_advance_send_head
before dereferencing it.  This patch does just that and leaves the
fack count at zero if there is no prev.

Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 7ae72c3..b3878ca 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1338,8 +1338,9 @@ static inline void tcp_advance_send_head(struct sock *sk, 
struct sk_buff *skb)
 {
        struct sk_buff *prev = tcp_write_queue_prev(sk, skb);
 
-       TCP_SKB_CB(skb)->fack_count = TCP_SKB_CB(prev)->fack_count +
-                                     tcp_skb_pcount(prev);
+       if (prev != (struct sk_buff *)&sk->sk_write_queue)
+               TCP_SKB_CB(skb)->fack_count = TCP_SKB_CB(prev)->fack_count +
+                                             tcp_skb_pcount(prev);
 
        sk->sk_send_head = tcp_write_queue_next(sk, skb);
        if (sk->sk_send_head == (struct sk_buff *)&sk->sk_write_queue)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to