On Wed, 2015-09-16 at 15:27 +0200, Florian Westphal wrote: > @@ -599,7 +600,7 @@ int ip6_fragment(struct sock *sk, struct sk_buff > *skb, > /* Correct geometry. */ > if (frag->len > mtu || > ((frag->len & 7) && frag->next) || > - skb_headroom(frag) < hlen) > + skb_headroom(frag) < (hlen + hroom)) > goto slow_path_clean; > > /* Partially cloned skb? */
My test is 'ping -s 2000', and I end up with a fragment of 1280 bytes
followed by a fragment of 776 bytes.
The test cited above is only actually running on the latter fragment
(which for some reason is fine and has headroom of 58 bytes).
The first, larger, fragment isn't being checked. And that's the one
with only 10 bytes of headroom.
[ 62.027984] has frag list
[ 62.030616] line 604 check frag ddc5fcc0 len 776 headroom 58 (hlen 40 hroom
16)
[ 62.036720] line 678 send skb ded050c0 len 1280 headroom 10
[ 62.041096] skbuff: skb_under_panic: text:c125f9ca len:1294 put:14 head:dec89
000 data:dec88ffc tail:0xdec8950a end:0xdec89f50 dev:br-lan
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
