From: Sridhar Samudrala <[EMAIL PROTECTED]> Date: Fri, 05 May 2006 12:14:38 -0700
> [SCTP]: Prevent possible infinite recursion with multiple bundled DATA. > > There is a rare situation that causes lksctp to go into infinite recursion > and crash the system. The trigger is a packet that contains at least the > first two DATA fragments of a message bundled together. The recursion is > triggered when the user data buffer is smaller that the full data message. > The problem is that we clone the skb for every fragment in the message. > When reassembling the full message, we try to link skbs from the "first > fragment" clone using the frag_list. However, since the frag_list is shared > between two clones in this rare situation, we end up setting the frag_list > pointer of the second fragment to point to itself. This causes > sctp_skb_pull() to potentially recurse indefinitely. > > Proposed solution is to make a copy of the skb when attempting to link > things using frag_list. > > Signed-off-by: Vladislav Yasevich <[EMAIL PROTECTED]> > Signed-off-by: Sridhar Samudrala <[EMAIL PROTECTED]> Applied, but again I had to manually remove a ton of trailing whitespace added by this patch. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
