gro: Fix use after free in tcp_gro_receive

[pandora-kernel.git] / net / ipv4 / tcp.c

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fafbec8..1d7f49c 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2511,6 +2511,7 @@ struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
        struct sk_buff *p;
        struct tcphdr *th;
        struct tcphdr *th2;
        struct sk_buff *p;
        struct tcphdr *th;
        struct tcphdr *th2;

+       unsigned int len;

        unsigned int thlen;
        unsigned int flags;
        unsigned int mss = 1;
        unsigned int thlen;
        unsigned int flags;
        unsigned int mss = 1;


@@ -2531,6 +2532,7 @@ struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 
        skb_gro_pull(skb, thlen);
 
 
        skb_gro_pull(skb, thlen);
 

+       len = skb_gro_len(skb);

        flags = tcp_flag_word(th);
 
        for (; (p = *head); head = &p->next) {
        flags = tcp_flag_word(th);
 
        for (; (p = *head); head = &p->next) {


@@ -2561,7 +2563,7 @@ found:
 
        mss = skb_shinfo(p)->gso_size;
 
 
        mss = skb_shinfo(p)->gso_size;
 

-       flush |= (skb_gro_len(skb) > mss) | !skb_gro_len(skb);
+       flush |= (len > mss) | !len;

        flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq);
 
        if (flush || skb_gro_receive(head, skb)) {
        flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq);
 
        if (flush || skb_gro_receive(head, skb)) {


@@ -2574,7 +2576,7 @@ found:
        tcp_flag_word(th2) |= flags & (TCP_FLAG_FIN | TCP_FLAG_PSH);
 
 out_check_final:
        tcp_flag_word(th2) |= flags & (TCP_FLAG_FIN | TCP_FLAG_PSH);
 
 out_check_final:

-       flush = skb_gro_len(skb) < mss;
+       flush = len < mss;

        flush |= flags & (TCP_FLAG_URG | TCP_FLAG_PSH | TCP_FLAG_RST |
                          TCP_FLAG_SYN | TCP_FLAG_FIN);
 
        flush |= flags & (TCP_FLAG_URG | TCP_FLAG_PSH | TCP_FLAG_RST |
                          TCP_FLAG_SYN | TCP_FLAG_FIN);