On Wed, 2018-01-10 at 12:45 -0500, Mike Maloney wrote: > From: Mike Maloney <malo...@google.com> > > The logic in __ip6_append_data() assumes that the MTU is at least large > enough for the headers. A device's MTU may be adjusted after being > added while sendmsg() is processing data, resulting in > __ip6_append_data() seeing any MTU. For an mtu smaller than the size of > the fragmentation header, the math results in a negative 'maxfraglen', > which causes problems when refragmenting any previous skb in the > skb_write_queue, leaving it possibly malformed. > > Instead sendmsg returns EINVAL when the mtu is calculated to be less > than IPV6_MIN_MTU. >
> Reported-by: syzbot <syzkal...@googlegroups.com> > Signed-off-by: Mike Maloney <malo...@google.com> > > Reviewed-by: Eric Dumazet <eduma...@google.com>
