Re: [PATCH] net: Fix potential out of bound write in skb_try_coalesce()
From: Eric Dumazet
Date: Tue Aug 04 2020 - 10:35:57 EST
On Tue, Aug 4, 2020 at 4:46 AM linmiaohe <linmiaohe@xxxxxxxxxx> wrote:
>
> From: Miaohe Lin <linmiaohe@xxxxxxxxxx>
>
> The head_frag of skb would occupy one extra skb_frag_t. Take it into
> account or out of bound write to skb frags may happen.
>
> Signed-off-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>
Please share a stack trace if this was a real bug spotted in the wild.
I do not believe this patch is correct.
if (A + B >= MAX) is equivalent to if (A + B + 1 > MAX)
Note how the other condition (when there is no bytes in skb header) is coded :
if (A + B > MAX) return false;
In anycase, please always provide a Fixes: tag for any bug fix.
Thanks.