[PATCH] remote memory corruptor in ibmtr.c
ip_summed changes last summer had missed that one. As the result,
we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW,
->csum is interpreted as offset of checksum in the packet. net/core/*
will both read and modify the value as that offset, with obvious
reasons. At the very least it's a remote memory corruptor.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/drivers/net/tokenring/ibmtr.c b/drivers/net/tokenring/ibmtr.c
index bfe5986..0d97e10 100644
--- a/drivers/net/tokenring/ibmtr.c
+++ b/drivers/net/tokenring/ibmtr.c
@@ -1826,7 +1826,7 @@
skb->protocol = tr_type_trans(skb, dev);
if (IPv4_p) {
skb->csum = chksum;
- skb->ip_summed = 1;
+ skb->ip_summed = CHECKSUM_COMPLETE;
}
netif_rx(skb);
dev->last_rx = jiffies;