tcp: fix tcp_md5_hash_skb_data()

[pandora-kernel.git] / net / ipv4 / ip_fragment.c

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index fdaabf2..8f441b2 100644 (file)
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -20,6 +20,8 @@
  *             Patrick McHardy :       LRU queue of frag heads for evictor.
  */
 
+#define pr_fmt(fmt) "IPv4: " fmt
+
 #include <linux/compiler.h>
 #include <linux/module.h>
 #include <linux/types.h>
@@ -249,8 +251,7 @@ static void ip_expire(unsigned long arg)
                if (!head->dev)
                        goto out_rcu_unlock;
 
-               /* skb dst is stale, drop it, and perform route lookup again */
-               skb_dst_drop(head);
+               /* skb has no dst, perform route lookup again */
                iph = ip_hdr(head);
                err = ip_route_input_noref(head, iph->daddr, iph->saddr,
                                           iph->tos, head->dev);
@@ -293,14 +294,12 @@ static inline struct ipq *ip_find(struct net *net, struct iphdr *iph, u32 user)
        hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol);
 
        q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash);
-       if (q == NULL)
-               goto out_nomem;
+       if (IS_ERR_OR_NULL(q)) {
+               inet_frag_maybe_warn_overflow(q, pr_fmt());
+               return NULL;
+       }
 
        return container_of(q, struct ipq, q);
-
-out_nomem:
-       LIMIT_NETDEBUG(KERN_ERR "ip_frag_create: no memory left !\n");
-       return NULL;
 }
 
 /* Is the fragment too far ahead to be part of ipq? */
@@ -518,8 +517,16 @@ found:
                qp->q.last_in |= INET_FRAG_FIRST_IN;
 
        if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-           qp->q.meat == qp->q.len)
-               return ip_frag_reasm(qp, prev, dev);
+           qp->q.meat == qp->q.len) {
+               unsigned long orefdst = skb->_skb_refdst;
+
+               skb->_skb_refdst = 0UL;
+               err = ip_frag_reasm(qp, prev, dev);
+               skb->_skb_refdst = orefdst;
+               return err;
+       }
+
+       skb_dst_drop(skb);
 
        write_lock(&ip4_frags.lock);
        list_move_tail(&qp->q.lru_list, &qp->q.net->lru_list);
@@ -684,28 +691,27 @@ EXPORT_SYMBOL(ip_defrag);
 
 struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
 {
-       const struct iphdr *iph;
+       struct iphdr iph;
        u32 len;
 
        if (skb->protocol != htons(ETH_P_IP))
                return skb;
 
-       if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+       if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
                return skb;
 
-       iph = ip_hdr(skb);
-       if (iph->ihl < 5 || iph->version != 4)
-               return skb;
-       if (!pskb_may_pull(skb, iph->ihl*4))
+       if (iph.ihl < 5 || iph.version != 4)
                return skb;
-       iph = ip_hdr(skb);
-       len = ntohs(iph->tot_len);
-       if (skb->len < len || len < (iph->ihl * 4))
+
+       len = ntohs(iph.tot_len);
+       if (skb->len < len || len < (iph.ihl * 4))
                return skb;
 
-       if (ip_is_fragment(ip_hdr(skb))) {
+       if (ip_is_fragment(&iph)) {
                skb = skb_share_check(skb, GFP_ATOMIC);
                if (skb) {
+                       if (!pskb_may_pull(skb, iph.ihl*4))
+                               return skb;
                        if (pskb_trim_rcsum(skb, len))
                                return skb;
                        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));