summaryrefslogtreecommitdiffstats
path: root/net/ipv4/tcp_output.c
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2005-09-14 20:50:35 -0700
committerDavid S. Miller <davem@davemloft.net>2005-09-14 20:50:35 -0700
commit3c05d92ed49f644d1f5a960fa48637d63b946016 (patch)
tree4882f2b114f7bb497e9844e21fe8bff4f8160def /net/ipv4/tcp_output.c
parent1619cca2921f6927f4240e03f413d4165c7002fc (diff)
downloadlinux-stable-3c05d92ed49f644d1f5a960fa48637d63b946016.tar.gz
linux-stable-3c05d92ed49f644d1f5a960fa48637d63b946016.tar.bz2
linux-stable-3c05d92ed49f644d1f5a960fa48637d63b946016.zip
[TCP]: Compute in_sacked properly when we split up a TSO frame.
The problem is that the SACK fragmenting code may incorrectly call tcp_fragment() with a length larger than the skb->len. This happens when the skb on the transmit queue completely falls to the LHS of the SACK. And add a BUG() check to tcp_fragment() so we can spot this kind of error more quickly in the future. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_output.c')
-rw-r--r--net/ipv4/tcp_output.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index c10e4435e3b1..b018e31b6530 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -435,6 +435,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
int nsize, old_factor;
u16 flags;
+ BUG_ON(len >= skb->len);
+
nsize = skb_headlen(skb) - len;
if (nsize < 0)
nsize = 0;