From: Al Viro Date: Mon, 4 Dec 2006 22:05:09 +0000 (+0000) Subject: [PATCH] remote memory corruptor in ibmtr.c X-Git-Tag: firefly_0821_release~30985^2~47^2~106 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ee28b0da1069ced1688aa9d0b7b378353b988321;p=firefly-linux-kernel-4.4.55.git [PATCH] remote memory corruptor in ibmtr.c ip_summed changes last summer had missed that one. As the result, we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW, ->csum is interpreted as offset of checksum in the packet. net/core/* will both read and modify the value as that offset, with obvious reasons. At the very least it's a remote memory corruptor. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds --- diff --git a/drivers/net/tokenring/ibmtr.c b/drivers/net/tokenring/ibmtr.c index bfe59865b1dd..0d97e10ccac5 100644 --- a/drivers/net/tokenring/ibmtr.c +++ b/drivers/net/tokenring/ibmtr.c @@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev) skb->protocol = tr_type_trans(skb, dev); if (IPv4_p) { skb->csum = chksum; - skb->ip_summed = 1; + skb->ip_summed = CHECKSUM_COMPLETE; } netif_rx(skb); dev->last_rx = jiffies;