[NETFILTER]: SCTP conntrack: fix crash triggered by packet without chunks

[linux-2.6] / net / ipv4 / tcp.c

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index c04176be7ed12826de51bcf036d2e64cd7f0b17e..0bb0ac96d675766e306eb23298d38a9c132df353 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2145,7 +2145,7 @@ int compat_tcp_getsockopt(struct sock *sk, int level, int optname,
 EXPORT_SYMBOL(compat_tcp_getsockopt);
 #endif
 
-struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg)
+struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct tcphdr *th;
@@ -2169,7 +2169,17 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg)
        oldlen = (u16)~skb->len;
        __skb_pull(skb, thlen);
 
-       segs = skb_segment(skb, sg);
+       if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
+               /* Packet is from an untrusted source, reset gso_segs. */
+               int mss = skb_shinfo(skb)->gso_size;
+
+               skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
+
+               segs = NULL;
+               goto out;
+       }
+
+       segs = skb_segment(skb, features);
        if (IS_ERR(segs))
                goto out;