From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Fri, 30 Jun 2006 03:11:25 +0000 (-0700)
Subject: [TCP]: Reset gso_segs if packet is dodgy
X-Git-Tag: firefly_0821_release~34629^2~10
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=3820c3f3e41786322c0bb225b9c77b8deff869d1;p=firefly-linux-kernel-4.4.55.git

[TCP]: Reset gso_segs if packet is dodgy

I wasn't paranoid enough in verifying GSO information.  A bogus gso_segs
could upset drivers as much as a bogus header would.  Let's reset it in
the per-protocol gso_segment functions.

I didn't verify gso_size because that can be verified by the source of
the dodgy packets.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0336422c88a0..0bb0ac96d675 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2166,13 +2166,19 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
 	if (!pskb_may_pull(skb, thlen))
 		goto out;
 
-	segs = NULL;
-	if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST))
-		goto out;
-
 	oldlen = (u16)~skb->len;
 	__skb_pull(skb, thlen);
 
+	if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
+		/* Packet is from an untrusted source, reset gso_segs. */
+		int mss = skb_shinfo(skb)->gso_size;
+
+		skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
+
+		segs = NULL;
+		goto out;
+	}
+
 	segs = skb_segment(skb, features);
 	if (IS_ERR(segs))
 		goto out;