David Woodhouse wrote:
> > if (frag->len > mtu ||
> > ((frag->len & 7) && frag->next) ||
> > - skb_headroom(frag) < hlen)
> > + skb_headroom(frag) < (hlen + hroom))
> >
On Wed, 2015-09-16 at 15:27 +0200, Florian Westphal wrote:
> @@ -599,7 +600,7 @@ int ip6_fragment(struct sock *sk, struct sk_buff
> *skb,
> /* Correct geometry. */
> if (frag->len > mtu ||
> ((frag->len & 7) && frag->next)
On Wed, 2015-09-16 at 15:27 +0200, Florian Westphal wrote:
>
> David, could you test this? I'd do an official patch submission
> then.
Compiles. Doesn't fix the problem.
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
David Woodhouse wrote:
> On Wed, 2015-09-16 at 01:48 +0200, Florian Westphal wrote:
> >
> > What I don't understand is why you see this with fragmented ipv6
> > packets only (and not with all ipv6 forwarded skbs).
> >
> > Something like this copy-pastry from ip_finish_output2 should fix it:
>
On Wed, 2015-09-16 at 01:48 +0200, Florian Westphal wrote:
>
> What I don't understand is why you see this with fragmented ipv6
> packets only (and not with all ipv6 forwarded skbs).
>
> Something like this copy-pastry from ip_finish_output2 should fix it:
That works; thanks.
Tested-by: David
David Woodhouse wrote:
> I can repeatably crash my router with 'ping6 -s 2000' to an external
> machine:
> [ 61.741618] skbuff: skb_under_panic: text:c1277f1e len:1294 put:14
> head:dec98000 data:dec97ffc tail:0xdec9850a end:0xdec98f40 dev:br-lan
> [ 61.754128] [ cut here ]---
On Tue, Sep 15, 2015 at 04:53:20PM +0100, David Woodhouse wrote:
> I'm not entirely sure how to interpret the above stack trace. Is the
> incoming IPv6 packet being reassembled for netfilter's benefit, then re
> -fragmented for transmission?
Not refragmented. Both the reassembled packet and the or
I can repeatably crash my router with 'ping6 -s 2000' to an external
machine:
[ 61.741618] skbuff: skb_under_panic: text:c1277f1e len:1294 put:14
head:dec98000 data:dec97ffc tail:0xdec9850a end:0xdec98f40 dev:br-lan
[ 61.754128] [ cut here ]
[ 61.758754] Kernel BUG a