Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data

From: Tadeusz Struk
Date: Tue Mar 08 2022 - 10:43:34 EST

Next message: Sudip Mukherjee: "Re: [PATCH 5.10 000/104] 5.10.104-rc2 review"
Previous message: Rob Herring: "Re: [PATCH 1/2] dt-bindings: serial: samsung: Add ARTPEC-8 UART"
Next in thread: David Ahern: "Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,
On 3/7/22 18:58, David Laight wrote:

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4788f6b37053..622345af323e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1629,6 +1629,13 @@ static int __ip6_append_data(struct sock *sk,
err = -EINVAL;
goto error;
}
+ if (unlikely(alloclen < fraglen)) {
+ if (printk_ratelimit())
+ pr_warn("%s: wrong alloclen: %d, fraglen: %d",
+ __func__, alloclen, fraglen);
+ alloclen = fraglen;
+ }
+

Except that is a valid case, see a few lines higher:

alloclen = min_t(int, fraglen, MAX_HEADER);
pagedlen = fraglen - alloclen;

You need to report the input values that cause the problem later on.

OK, but in this case it falls into the first if block:
https://elixir.bootlin.com/linux/v5.17-rc7/source/net/ipv6/ip6_output.c#L1606
where alloclen is assigned the value of mtu.
The values in this case are just before the alloc_skb() are:

alloclen = 1480
alloc_extra = 136
datalen = 64095
fragheaderlen = 1480
fraglen = 65575
transhdrlen = 0
mtu = 1480

--
Thanks,
Tadeusz

Next message: Sudip Mukherjee: "Re: [PATCH 5.10 000/104] 5.10.104-rc2 review"
Previous message: Rob Herring: "Re: [PATCH 1/2] dt-bindings: serial: samsung: Add ARTPEC-8 UART"
Next in thread: David Ahern: "Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]