summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2016-12-09 17:02:05 +0100
committerDavid S. Miller <davem@davemloft.net>2016-12-10 05:06:10 +0100
commit3174fed9820edc95cff74ad0934c3240c7fb5115 (patch)
tree57b6f56d50fe1329c2f93b91921ca59940107def
parentMerge tag 'mac80211-next-for-davem-2016-12-09' of git://git.kernel.org/pub/sc... (diff)
downloadlinux-3174fed9820edc95cff74ad0934c3240c7fb5115.tar.xz
linux-3174fed9820edc95cff74ad0934c3240c7fb5115.zip
net: skb_condense() can also deal with empty skbs
It seems attackers can also send UDP packets with no payload at all. skb_condense() can still be a win in this case. It will be possible to replace the custom code in tcp_add_backlog() to get full benefit from skb_condense() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/core/skbuff.c22
1 files changed, 13 insertions, 9 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 84151cf40aeb..65a74e13c45b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4946,16 +4946,20 @@ EXPORT_SYMBOL(pskb_extract);
*/
void skb_condense(struct sk_buff *skb)
{
- if (!skb->data_len ||
- skb->data_len > skb->end - skb->tail ||
- skb_cloned(skb))
- return;
-
- /* Nice, we can free page frag(s) right now */
- __pskb_pull_tail(skb, skb->data_len);
+ if (skb->data_len) {
+ if (skb->data_len > skb->end - skb->tail ||
+ skb_cloned(skb))
+ return;
- /* Now adjust skb->truesize, since __pskb_pull_tail() does
- * not do this.
+ /* Nice, we can free page frag(s) right now */
+ __pskb_pull_tail(skb, skb->data_len);
+ }
+ /* At this point, skb->truesize might be over estimated,
+ * because skb had a fragment, and fragments do not tell
+ * their truesize.
+ * When we pulled its content into skb->head, fragment
+ * was freed, but __pskb_pull_tail() could not possibly
+ * adjust skb->truesize, not knowing the frag truesize.
*/
skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
}