1 From: http://patchwork.ozlabs.org/patch/18346/
2 Subject: gso: Ensure that the packet is long enough
3 See also http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/d490aa798cc4
5 When we get a GSO packet from an untrusted source, we need to
6 ensure that it is sufficiently long so that we don't end up
9 Based on discovery and patch by Ian Campbell.
11 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
12 Tested-by: Ian Campbell <ian.campbell@citrix.com>
13 Acked-by: jbeulich@novell.com
16 net/ipv4/tcp.c | 13 +++++++------
17 1 file changed, 7 insertions(+), 6 deletions(-)
21 @@ -2390,7 +2390,7 @@ struct sk_buff *tcp_tso_segment(struct s
28 if (!pskb_may_pull(skb, sizeof(*th)))
30 @@ -2406,10 +2406,13 @@ struct sk_buff *tcp_tso_segment(struct s
31 oldlen = (u16)~skb->len;
32 __skb_pull(skb, thlen);
34 + mss = skb_shinfo(skb)->gso_size;
35 + if (unlikely(skb->len <= mss))
38 if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
39 /* Packet is from an untrusted source, reset gso_segs. */
40 int type = skb_shinfo(skb)->gso_type;
45 @@ -2420,7 +2423,6 @@ struct sk_buff *tcp_tso_segment(struct s
46 !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
49 - mss = skb_shinfo(skb)->gso_size;
50 skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
53 @@ -2431,8 +2433,7 @@ struct sk_buff *tcp_tso_segment(struct s
57 - len = skb_shinfo(skb)->gso_size;
58 - delta = htonl(oldlen + (thlen + len));
59 + delta = htonl(oldlen + (thlen + mss));
63 @@ -2448,7 +2449,7 @@ struct sk_buff *tcp_tso_segment(struct s
64 csum_fold(csum_partial(skb_transport_header(skb),