Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 3c05d92ed49f644d1f5a960fa48637d63b946016^! / . / net / ipv4 / tcp_input.c
commit3c05d92ed49f644d1f5a960fa48637d63b946016[log] [tgz]
authorHerbert Xu <herbert@gondor.apana.org.au>Wed Sep 14 20:50:35 2005 -0700
committerDavid S. Miller <davem@davemloft.net>Wed Sep 14 20:50:35 2005 -0700
tree4882f2b114f7bb497e9844e21fe8bff4f8160def
parent1619cca2921f6927f4240e03f413d4165c7002fc [diff] [blame]
[TCP]: Compute in_sacked properly when we split up a TSO frame.

The problem is that the SACK fragmenting code may incorrectly call
tcp_fragment() with a length larger than the skb->len.  This happens
when the skb on the transmit queue completely falls to the LHS of the
SACK.

And add a BUG() check to tcp_fragment() so we can spot this kind of
error more quickly in the future.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 29222b96..a7537c7 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c

@@ -979,14 +979,19 @@
 			if (!before(TCP_SKB_CB(skb)->seq, end_seq))
 				break;
 
+			in_sack = !after(start_seq, TCP_SKB_CB(skb)->seq) &&
+				!before(end_seq, TCP_SKB_CB(skb)->end_seq);
+
 			pcount = tcp_skb_pcount(skb);
 
-			if (pcount > 1 &&
-			    (after(start_seq, TCP_SKB_CB(skb)->seq) ||
-			     before(end_seq, TCP_SKB_CB(skb)->end_seq))) {
+			if (pcount > 1 && !in_sack &&
+			    after(TCP_SKB_CB(skb)->end_seq, start_seq)) {
 				unsigned int pkt_len;
 
-				if (after(start_seq, TCP_SKB_CB(skb)->seq))
+				in_sack = !after(start_seq,
+						 TCP_SKB_CB(skb)->seq);
+
+				if (!in_sack)
 					pkt_len = (start_seq -
 						   TCP_SKB_CB(skb)->seq);
 				else
@@ -999,9 +1004,6 @@
 
 			fack_count += pcount;
 
-			in_sack = !after(start_seq, TCP_SKB_CB(skb)->seq) &&
-				!before(end_seq, TCP_SKB_CB(skb)->end_seq);
-
 			sacked = TCP_SKB_CB(skb)->sacked;
 
 			/* Account D-SACK for retransmitted packet. */