Skip to content

Commit 6ab2b99

Browse files
davem330davem330
committed
Merge tag 'batadv-net-for-davem-20170301' of git://git.open-mesh.org/linux-merge
Simon Wunderlich says: ==================== Here are two batman-adv bugfixes: - fix a potential double free when fragment merges fail, by Sven Eckelmann - fix failing tranmission of the 16th (last) fragment if that exists, by Linus Lüssing ==================== Signed-off-by: David S. Miller <[email protected]>
2 parents f1304f7 + 51c6b42 commit 6ab2b99

File tree

1 file changed

+11
-9
lines changed

1 file changed

+11
-9
lines changed

net/batman-adv/fragmentation.c

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -239,8 +239,10 @@ static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node,
239239
spin_unlock_bh(&chain->lock);
240240

241241
err:
242-
if (!ret)
242+
if (!ret) {
243243
kfree(frag_entry_new);
244+
kfree_skb(skb);
245+
}
244246

245247
return ret;
246248
}
@@ -313,7 +315,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
313315
*
314316
* There are three possible outcomes: 1) Packet is merged: Return true and
315317
* set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
316-
* to NULL; 3) Error: Return false and leave skb as is.
318+
* to NULL; 3) Error: Return false and free skb.
317319
*
318320
* Return: true when packet is merged or buffered, false when skb is not not
319321
* used.
@@ -338,9 +340,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
338340
goto out_err;
339341

340342
out:
341-
*skb = skb_out;
342343
ret = true;
343344
out_err:
345+
*skb = skb_out;
344346
return ret;
345347
}
346348

@@ -499,6 +501,12 @@ int batadv_frag_send_packet(struct sk_buff *skb,
499501

500502
/* Eat and send fragments from the tail of skb */
501503
while (skb->len > max_fragment_size) {
504+
/* The initial check in this function should cover this case */
505+
if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) {
506+
ret = -EINVAL;
507+
goto put_primary_if;
508+
}
509+
502510
skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
503511
if (!skb_fragment) {
504512
ret = -ENOMEM;
@@ -515,12 +523,6 @@ int batadv_frag_send_packet(struct sk_buff *skb,
515523
}
516524

517525
frag_header.no++;
518-
519-
/* The initial check in this function should cover this case */
520-
if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
521-
ret = -EINVAL;
522-
goto put_primary_if;
523-
}
524526
}
525527

526528
/* Make room for the fragment header. */

0 commit comments

Comments
 (0)